[heap] Do not assume non-empty TracedReference in marker

Most paths filter out empty reference on cppgc::Visitor or v8::JSVisitor level. For v8::TracedReference we may end up with empty reference in case of ephemeron tracing which cannot perfom the null checks on the outer visitor. Bug: chromium:1315550, v8:12600 Change-Id: I5ebb466100a6f2cf25a75585fc2267a632497548 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582124Reviewed-by: Omer Katz <omerkatz@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#79943}

[heap] Do not assume non-empty TracedReference in marker
Most paths filter out empty reference on cppgc::Visitor or v8::JSVisitor level. For v8::TracedReference we may end up with empty reference in case of ephemeron tracing which cannot perfom the null checks on the outer visitor. Bug: chromium:1315550, v8:12600 Change-Id: I5ebb466100a6f2cf25a75585fc2267a632497548 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582124Reviewed-by: Omer Katz <omerkatz@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#79943}
5c8295be · Michael Lippautz · V8 LUCI CQ · 13407a88 · 5c8295be
Commit 5c8295be authored Apr 12, 2022 by Michael Lippautz Committed by V8 LUCI CQ Apr 12, 2022
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 9 deletions

unified-heap-marking-state-inl.h src/heap/cppgc-js/unified-heap-marking-state-inl.h +12 -9

No files found.
--- a/src/heap/cppgc-js/unified-heap-marking-state-inl.h
+++ b/src/heap/cppgc-js/unified-heap-marking-state-inl.h
@@ -18,9 +18,18 @@ namespace internal {

 class BasicTracedReferenceExtractor {
 public:
-  static Address* ObjectReference(const TracedReferenceBase& ref) {
-    return const_cast<Address*>(
+  static Object GetObjectForMarking(const TracedReferenceBase& ref) {
+    Address* global_handle_location = const_cast<Address*>(
        reinterpret_cast<const Address*>(ref.GetSlotThreadSafe()));
+    // We cannot assume that the reference is non-null as we may get here by
+    // tracing an ephemeron which doesn't have early bailouts, see
+    // `cppgc::Visitor::TraceEphemeron()` for non-Member values.
+    if (!global_handle_location) return Object();
+
+    GlobalHandles::MarkTraced(global_handle_location);
+    return Object(
+        reinterpret_cast<std::atomic<Address>*>(global_handle_location)
+            ->load(std::memory_order_relaxed));
  }
 };

@@ -29,13 +38,7 @@ void UnifiedHeapMarkingState::MarkAndPush(
  // The following code will crash with null pointer derefs when finding a
  // non-empty `TracedReferenceBase` when `CppHeap` is in detached mode.

-  Address* global_handle_location =
-      BasicTracedReferenceExtractor::ObjectReference(reference);
-  DCHECK_NOT_NULL(global_handle_location);
-
-  GlobalHandles::MarkTraced(global_handle_location);
-  Object object(reinterpret_cast<std::atomic<Address>*>(global_handle_location)
-                    ->load(std::memory_order_relaxed));
+  Object object = BasicTracedReferenceExtractor::GetObjectForMarking(reference);
  if (!object.IsHeapObject()) {
    // The embedder is not aware of whether numbers are materialized as heap
    // objects are just passed around as Smis.