[wasm] Remove code to be logged when native module dies

We have very few tests for this currently, and it's hard to test this, since code logging happens soon after scheduling the task and stack guard. If the timing is just right, it can happen though that a {NativeModule} dies while {WasmCode} objects of that {NativeModule} are still part of the {code_to_log} vector. In that case, we need to remove those code objects from the vector to avoid use after free. R=mstarzinger@chromium.org Change-Id: I16c7098bf11c54700cc650dad965106af2e39157 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566519Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#60902}

[wasm] Remove code to be logged when native module dies
We have very few tests for this currently, and it's hard to test this, since code logging happens soon after scheduling the task and stack guard. If the timing is just right, it can happen though that a {NativeModule} dies while {WasmCode} objects of that {NativeModule} are still part of the {code_to_log} vector. In that case, we need to remove those code objects from the vector to avoid use after free. R=mstarzinger@chromium.org Change-Id: I16c7098bf11c54700cc650dad965106af2e39157 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1566519Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Clemens Hammacher <clemensh@chromium.org> Cr-Commit-Position: refs/heads/master@{#60902}
75e2bea3 · Clemens Hammacher · Commit Bot · 104a030f · 75e2bea3
Commit 75e2bea3 authored Apr 16, 2019 by Clemens Hammacher Committed by Commit Bot Apr 17, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 2 deletions

wasm-engine.cc src/wasm/wasm-engine.cc +18 -2

No files found.
--- a/src/wasm/wasm-engine.cc
+++ b/src/wasm/wasm-engine.cc
@@ -603,8 +603,24 @@ void WasmEngine::FreeNativeModule(NativeModule* native_module) {
    DCHECK_NE(native_modules_.end(), it);
    for (Isolate* isolate : it->second->isolates) {
      DCHECK_EQ(1, isolates_.count(isolate));
-      DCHECK_EQ(1, isolates_[isolate]->native_modules.count(native_module));
-      isolates_[isolate]->native_modules.erase(native_module);
+      IsolateInfo* info = isolates_[isolate].get();
+      DCHECK_EQ(1, info->native_modules.count(native_module));
+      info->native_modules.erase(native_module);
+      // If there are {WasmCode} objects of the deleted {NativeModule}
+      // outstanding to be logged in this isolate, remove them. Decrementing the
+      // ref count is not needed, since the {NativeModule} dies anyway.
+      size_t remaining = info->code_to_log.size();
+      if (remaining > 0) {
+        for (size_t i = 0; i < remaining; ++i) {
+          while (i < remaining &&
+                 info->code_to_log[i]->native_module() == native_module) {
+            // Move the last remaining item to this slot (this can be the same
+            // as {i}, which is OK).
+            info->code_to_log[i] = info->code_to_log[--remaining];
+          }
+        }
+        info->code_to_log.resize(remaining);
+      }
    }
    native_modules_.erase(it);
  }