[unified-heap] Call TraceEpilogue at the end of a MC GC

Marking resets global handles which touches the corresponding slots on the embedder side. The embedder may already have freed the memory which results in use after free. Bug: chromium:843903 Change-Id: I05a62f28d801b4de167f6fbf1be29743544c1293 Reviewed-on: https://chromium-review.googlesource.com/c/1296457Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#56911}

[unified-heap] Call TraceEpilogue at the end of a MC GC
Marking resets global handles which touches the corresponding slots on the embedder side. The embedder may already have freed the memory which results in use after free. Bug: chromium:843903 Change-Id: I05a62f28d801b4de167f6fbf1be29743544c1293 Reviewed-on: https://chromium-review.googlesource.com/c/1296457Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#56911}
3f850f4d · Michael Lippautz · Commit Bot · 24348798 · 3f850f4d · 3f850f4d
Commit 3f850f4d authored Oct 23, 2018 by Michael Lippautz Committed by Commit Bot Oct 23, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 8 deletions

heap-symbols.h src/heap-symbols.h +1 -1

gc-tracer.cc src/heap/gc-tracer.cc +4 -3

mark-compact.cc src/heap/mark-compact.cc +8 -4

No files found.
--- a/src/heap-symbols.h
+++ b/src/heap-symbols.h
@@ -405,6 +405,7 @@
  F(MC_EVACUATE_UPDATE_POINTERS_SLOTS_MAP_SPACE)     \
  F(MC_EVACUATE_UPDATE_POINTERS_TO_NEW_ROOTS)        \
  F(MC_EVACUATE_UPDATE_POINTERS_WEAK)                \
+  F(MC_FINISH_WRAPPER_EPILOGUE)                      \
  F(MC_MARK_FINISH_INCREMENTAL)                      \
  F(MC_MARK_MAIN)                                    \
  F(MC_MARK_ROOTS)                                   \
@@ -416,7 +417,6 @@
  F(MC_MARK_WEAK_CLOSURE_WEAK_ROOTS)                 \
  F(MC_MARK_WEAK_CLOSURE_HARMONY)                    \
  F(MC_MARK_WRAPPERS)                                \
-  F(MC_MARK_WRAPPER_EPILOGUE)                        \
  F(MC_MARK_WRAPPER_PROLOGUE)                        \
  F(MC_MARK_WRAPPER_TRACING)                         \
  F(MC_SWEEP_CODE)                                   \

--- a/src/heap/gc-tracer.cc
+++ b/src/heap/gc-tracer.cc
@@ -684,6 +684,7 @@ void GCTracer::PrintNVP() const {
          "evacuate.update_pointers.slots.map_space=%.1f "
          "evacuate.update_pointers.weak=%.1f "
          "finish=%.1f "
+          "finish.wrapper_epilogue=%.1f "
          "mark=%.1f "
          "mark.finish_incremental=%.1f "
          "mark.roots=%.1f "
@@ -696,7 +697,6 @@ void GCTracer::PrintNVP() const {
          "mark.weak_closure.weak_roots=%.1f "
          "mark.weak_closure.harmony=%.1f "
          "mark.wrapper_prologue=%.1f "
-          "mark.wrapper_epilogue=%.1f "
          "mark.wrapper_tracing=%.1f "
          "prologue=%.1f "
          "sweep=%.1f "
@@ -779,7 +779,9 @@ void GCTracer::PrintNVP() const {
          current_.scopes[Scope::MC_EVACUATE_UPDATE_POINTERS_SLOTS_MAIN],
          current_.scopes[Scope::MC_EVACUATE_UPDATE_POINTERS_SLOTS_MAP_SPACE],
          current_.scopes[Scope::MC_EVACUATE_UPDATE_POINTERS_WEAK],
-          current_.scopes[Scope::MC_FINISH], current_.scopes[Scope::MC_MARK],
+          current_.scopes[Scope::MC_FINISH],
+          current_.scopes[Scope::MC_FINISH_WRAPPER_EPILOGUE],
+          current_.scopes[Scope::MC_MARK],
          current_.scopes[Scope::MC_MARK_FINISH_INCREMENTAL],
          current_.scopes[Scope::MC_MARK_ROOTS],
          current_.scopes[Scope::MC_MARK_MAIN],
@@ -791,7 +793,6 @@ void GCTracer::PrintNVP() const {
          current_.scopes[Scope::MC_MARK_WEAK_CLOSURE_WEAK_ROOTS],
          current_.scopes[Scope::MC_MARK_WEAK_CLOSURE_HARMONY],
          current_.scopes[Scope::MC_MARK_WRAPPER_PROLOGUE],
-          current_.scopes[Scope::MC_MARK_WRAPPER_EPILOGUE],
          current_.scopes[Scope::MC_MARK_WRAPPER_TRACING],
          current_.scopes[Scope::MC_PROLOGUE], current_.scopes[Scope::MC_SWEEP],
          current_.scopes[Scope::MC_SWEEP_CODE],

--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -841,6 +841,14 @@ void MarkCompactCollector::Finish() {
    Deoptimizer::DeoptimizeMarkedCode(isolate());
    have_code_to_deoptimize_ = false;
  }
+
+  {
+    TRACE_GC(heap()->tracer(), GCTracer::Scope::MC_FINISH_WRAPPER_EPILOGUE);
+    // TraceEpilogue may trigger operations that invalidate global handles. It
+    // has to be called *after* all other operations that potentially touch and
+    // reset global handles.
+    heap()->local_embedder_heap_tracer()->TraceEpilogue();
+  }
 }

 class MarkCompactCollector::RootMarkingVisitor final : public RootVisitor {
@@ -1808,10 +1816,6 @@ void MarkCompactCollector::MarkLiveObjects() {
    {
      TRACE_GC(heap()->tracer(), GCTracer::Scope::MC_MARK_WEAK_CLOSURE_HARMONY);
      ProcessEphemeronMarking();
-      {
-        TRACE_GC(heap()->tracer(), GCTracer::Scope::MC_MARK_WRAPPER_EPILOGUE);
-        heap()->local_embedder_heap_tracer()->TraceEpilogue();
-      }
      DCHECK(marking_worklist()->IsEmbedderEmpty());
      DCHECK(marking_worklist()->IsEmpty());
    }