cppgc: Allow writes to dead slots in member assignment checks.

The checks for assignemnts to member during prefinalizers assumed the slot has to live. It was assumed that if a slot is dead then we would not be updating it. Prefinalizers are allowed to touch dead objects and thus are techincally allowed to write to dead slots. Such writes are usually redundant (the object will be swept soon anyway) but are not always easy to get rid of. Bug: chromium:1255152, v8:11749 Change-Id: I57e143abd53d434c3198616909c506eb70d8944b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199800Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#77208}

cppgc: Allow writes to dead slots in member assignment checks.
The checks for assignemnts to member during prefinalizers assumed the slot has to live. It was assumed that if a slot is dead then we would not be updating it. Prefinalizers are allowed to touch dead objects and thus are techincally allowed to write to dead slots. Such writes are usually redundant (the object will be swept soon anyway) but are not always easy to get rid of. Bug: chromium:1255152, v8:11749 Change-Id: I57e143abd53d434c3198616909c506eb70d8944b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3199800Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#77208}
75c130a8 · Omer Katz · V8 LUCI CQ · ee1e1fa5 · 75c130a8 · 75c130a8
Commit 75c130a8 authored Oct 01, 2021 by Omer Katz Committed by V8 LUCI CQ Oct 04, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 6 deletions

pointer-policies.cc src/heap/cppgc/pointer-policies.cc +3 -4

prefinalizer-unittest.cc test/unittests/heap/cppgc/prefinalizer-unittest.cc +4 -2

No files found.
--- a/src/heap/cppgc/pointer-policies.cc
+++ b/src/heap/cppgc/pointer-policies.cc
@@ -75,16 +75,15 @@ void SameThreadEnabledCheckingPolicyBase::CheckPointerImpl(
 #ifdef CPPGC_VERIFY_HEAP
  if (check_off_heap_assignments || is_on_heap) {
    if (heap_->prefinalizer_handler()->IsInvokingPreFinalizers()) {
-      // During prefinalizers invocation, check that |ptr| refers to a live
-      // object and that it is assigned to a live slot.
-      DCHECK(header->IsMarked());
      // Slot can be in a large object.
      const auto* slot_page = BasePage::FromInnerAddress(heap_, this);
      // Off-heap slots (from other heaps or on-stack) are considered live.
      bool slot_is_live =
          !slot_page ||
          slot_page->ObjectHeaderFromInnerAddress(this).IsMarked();
-      DCHECK(slot_is_live);
+      // During prefinalizers invocation, check that if the slot is live then
+      // |ptr| refers to a live object.
+      DCHECK_IMPLIES(slot_is_live, header->IsMarked());
      USE(slot_is_live);
    }
  }

--- a/test/unittests/heap/cppgc/prefinalizer-unittest.cc
+++ b/test/unittests/heap/cppgc/prefinalizer-unittest.cc
@@ -294,7 +294,9 @@ class GCedHolder : public GarbageCollected<GCedHolder> {
 #if V8_ENABLE_CHECKS
 #ifdef CPPGC_VERIFY_HEAP

-TEST_F(PrefinalizerDeathTest, PrefinalizerCantRewireGraphWithDeadObjects) {
+TEST_F(PrefinalizerDeathTest, PrefinalizerCanRewireGraphWithDeadObjects) {
+  // Prefinalizers are allowed to rewire dead object to dead objects as that
+  // doesn't affect the live object graph.
  Persistent<LinkedNode> root{MakeGarbageCollected<LinkedNode>(
      GetAllocationHandle(),
      MakeGarbageCollected<LinkedNode>(
@@ -305,7 +307,7 @@ TEST_F(PrefinalizerDeathTest, PrefinalizerCantRewireGraphWithDeadObjects) {
  // All LinkedNode objects will die on the following GC. The pre-finalizer may
  // still operate with them but not add them to a live object.
  root.Clear();
-  EXPECT_DEATH_IF_SUPPORTED(PreciseGC(), "");
+  PreciseGC();
 }

 TEST_F(PrefinalizerDeathTest, PrefinalizerCantRessurectObjectOnStack) {