[heap] Fix allocation timeout

Fix underflow in allocation timeout which is used by fuzzers to trigger garabge collection. Bug: chromium:1337646 Change-Id: Iffa70497c2945a26242e9e67820197bd5e61f04c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711758 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org> Cr-Commit-Position: refs/heads/main@{#81246}

[heap] Fix allocation timeout
Fix underflow in allocation timeout which is used by fuzzers to trigger garabge collection. Bug: chromium:1337646 Change-Id: Iffa70497c2945a26242e9e67820197bd5e61f04c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3711758 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Nikolaos Papaspyrou <nikolaos@chromium.org> Cr-Commit-Position: refs/heads/main@{#81246}
39a2c91f · Michael Lippautz · V8 LUCI CQ · 3cb521fe · 39a2c91f · 39a2c91f
Commit 39a2c91f authored Jun 20, 2022 by Michael Lippautz Committed by V8 LUCI CQ Jun 20, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

heap-allocator.cc src/heap/heap-allocator.cc +3 -1

heap-allocator.h src/heap/heap-allocator.h +7 -5

No files found.
--- a/src/heap/heap-allocator.cc
+++ b/src/heap/heap-allocator.cc
@@ -156,7 +156,9 @@ void HeapAllocator::SetAllocationGcInterval(int allocation_gc_interval) {
 std::atomic<int> HeapAllocator::allocation_gc_interval_{-1};

 void HeapAllocator::SetAllocationTimeout(int allocation_timeout) {
-  allocation_timeout_ = allocation_timeout;
+  // See `allocation_timeout_` for description. We map negative values to 0 to
+  // avoid underflows as allocation decrements this value as well.
+  allocation_timeout_ = std::max(0, allocation_timeout);
 }

 void HeapAllocator::UpdateAllocationTimeout() {

--- a/src/heap/heap-allocator.h
+++ b/src/heap/heap-allocator.h
@@ -69,6 +69,7 @@ class V8_EXPORT_PRIVATE HeapAllocator final {

 #ifdef V8_ENABLE_ALLOCATION_TIMEOUT
  void UpdateAllocationTimeout();
+  // See `allocation_timeout_`.
  void SetAllocationTimeout(int allocation_timeout);

  static void SetAllocationGcInterval(int allocation_gc_interval);
@@ -110,14 +111,15 @@ class V8_EXPORT_PRIVATE HeapAllocator final {
  ConcurrentAllocator* shared_map_allocator_;

 #ifdef V8_ENABLE_ALLOCATION_TIMEOUT
-  // If the {allocation_gc_interval_} is set to a positive value, this variable
-  // holds the value indicating the number of allocations remain until the
-  // next failure and garbage collection.
+  // Specifies how many allocations should be performed until returning
+  // allocation failure (which will eventually lead to garbage collection).
+  // Allocation will fail for any values <=0. See `UpdateAllocationTimeout()`
+  // for how the new timeout is computed.
  int allocation_timeout_ = 0;

  // The configured GC interval, initialized from --gc-interval during
-  // {InitializeOncePerProcess} and potentially dynamically updated by
-  // %SetAllocationTimeout.
+  // `InitializeOncePerProcess` and potentially dynamically updated by
+  // `%SetAllocationTimeout()`.
  static std::atomic<int> allocation_gc_interval_;
 #endif  // V8_ENABLE_ALLOCATION_TIMEOUT
 };