[compiler] Address two concurrency TODOs

JSHeapBroker::ReadFeedbackForCall() - it may be that the JSFunction we read in the feedback vector hasn't been store-ordered and is therefore unsafe to read. Therefore, we need to call the gc predicate to ensure safety. JSFunctionRef::feedback_vector() & raw_feedback_cell() - I was able to remove the TODO warning about uninitialized data visible from a direct read of these fields from the background. This is because we either store-order into those fields, or rely on a prior store-ordering. Additionally, FeedbackVectorRef and FeedbackCellRef are never-serialized objects, so their first encounter on the background thread is fine (we don't need to have seen and serialized them on the main thread first). Bug: v8:7790 Change-Id: I9cd19999e70fadcf62778dac2b0f679966a4a53f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3026708Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#75720}

[compiler] Address two concurrency TODOs
JSHeapBroker::ReadFeedbackForCall() - it may be that the JSFunction we read in the feedback vector hasn't been store-ordered and is therefore unsafe to read. Therefore, we need to call the gc predicate to ensure safety. JSFunctionRef::feedback_vector() & raw_feedback_cell() - I was able to remove the TODO warning about uninitialized data visible from a direct read of these fields from the background. This is because we either store-order into those fields, or rely on a prior store-ordering. Additionally, FeedbackVectorRef and FeedbackCellRef are never-serialized objects, so their first encounter on the background thread is fine (we don't need to have seen and serialized them on the main thread first). Bug: v8:7790 Change-Id: I9cd19999e70fadcf62778dac2b0f679966a4a53f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3026708Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#75720}
72c8f3fb · Mike Stanton · V8 LUCI CQ · d5b27bd2 · 72c8f3fb · 72c8f3fb
Commit 72c8f3fb authored Jul 14, 2021 by Mike Stanton Committed by V8 LUCI CQ Jul 14, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 12 deletions

heap-refs.h src/compiler/heap-refs.h +0 -5

js-heap-broker.cc src/compiler/js-heap-broker.cc +3 -7

No files found.
--- a/src/compiler/heap-refs.h
+++ b/src/compiler/heap-refs.h
@@ -423,11 +423,6 @@ class V8_EXPORT_PRIVATE JSFunctionRef : public JSObjectRef {
  void SerializeCodeAndFeedback();
  bool serialized_code_and_feedback() const;

-  // The following are available only after calling SerializeCodeAndFeedback().
-  // TODO(mvstanton): Once we allow inlining of functions we didn't see
-  // during serialization, we do need to ensure that any feedback vector
-  // we read here has been fully initialized (ie, store-ordered into the
-  // cell).
  FeedbackVectorRef feedback_vector() const;
  FeedbackCellRef raw_feedback_cell() const;
  CodeRef code() const;

--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@@ -804,16 +804,12 @@ ProcessedFeedback const& JSHeapBroker::ReadFeedbackForCall(

  base::Optional<HeapObjectRef> target_ref;
  {
-    // TODO(mvstanton): this read has a special danger when done on the
-    // background thread, because the CallIC has a site in generated code
-    // where a JSFunction is installed in this slot without store ordering.
-    // Therefore, we will need to check {maybe_target} to ensure that it
-    // has been store ordered by the heap's mechanism for store-ordering
-    // batches of new objects.
    MaybeObject maybe_target = nexus.GetFeedback();
    HeapObject target_object;
    if (maybe_target->GetHeapObject(&target_object)) {
-      target_ref = MakeRef(this, handle(target_object, isolate()));
+      // TryMakeRef is used because the GC predicate may fail if the
+      // JSFunction was allocated too recently to be store-ordered.
+      target_ref = TryMakeRef(this, handle(target_object, isolate()));
    }
  }
  float frequency = nexus.ComputeCallFrequency();