[verify-heap] Move verification to Heap::StartTearDown

When Heap::TearDown is called, parts of the Isolate are already gone (specifically: Managed<> objects, which includes Wasm NativeModules). Since heap verification can depend on these parts (e.g. to find Code objects belonging to current activations on the stack), we should do it before tearing down things. Heap::StartTearDown is a suitable way to achieve that. Bug: v8:9209 Change-Id: I44094b19e16a4f372eb14ab363d8b4a65182f38a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1993968 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#65684}

[verify-heap] Move verification to Heap::StartTearDown
When Heap::TearDown is called, parts of the Isolate are already gone (specifically: Managed<> objects, which includes Wasm NativeModules). Since heap verification can depend on these parts (e.g. to find Code objects belonging to current activations on the stack), we should do it before tearing down things. Heap::StartTearDown is a suitable way to achieve that. Bug: v8:9209 Change-Id: I44094b19e16a4f372eb14ab363d8b4a65182f38a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1993968 Commit-Queue: Jakob Kummerow <jkummerow@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#65684}
7b6de838 · Jakob Kummerow · Commit Bot · bc608444 · 7b6de838 · 7b6de838
Commit 7b6de838 authored Jan 10, 2020 by Jakob Kummerow Committed by Commit Bot Jan 10, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 4 deletions

heap.cc src/heap/heap.cc +12 -4

mjsunit.status test/mjsunit/mjsunit.status +1 -0

regress-9209.js test/mjsunit/regress/regress-9209.js +14 -0

No files found.
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -5228,15 +5228,23 @@ void Heap::RegisterExternallyReferencedObject(Address* location) {
  }
 }

-void Heap::StartTearDown() { SetGCState(TEAR_DOWN); }
-
-void Heap::TearDown() {
-  DCHECK_EQ(gc_state_, TEAR_DOWN);
+void Heap::StartTearDown() {
+  SetGCState(TEAR_DOWN);
 #ifdef VERIFY_HEAP
+  // {StartTearDown} is called fairly early during Isolate teardown, so it's
+  // a good time to run heap verification (if requested), before starting to
+  // tear down parts of the Isolate.
  if (FLAG_verify_heap) {
    Verify();
  }
 #endif
+}
+
+void Heap::TearDown() {
+  DCHECK_EQ(gc_state_, TEAR_DOWN);
+
+  // It's too late for Heap::Verify() here, as parts of the Isolate are
+  // already gone by the time this is called.

  UpdateMaximumCommitted();


--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -366,6 +366,7 @@
  'regress/wasm/*': [SKIP],
  'regress/regress-8947': [SKIP],
  'regress/regress-9165': [SKIP],
+  'regress/regress-9209': [SKIP],
  'regress/regress-1034394': [SKIP],
  'regress/regress-v8-9106': [SKIP],
  'wasm/*': [SKIP],

--- a/test/mjsunit/regress/regress-9209.js
+++ b/test/mjsunit/regress/regress-9209.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --verify-heap
+
+load('test/mjsunit/wasm/wasm-module-builder.js');
+
+const builder = new WasmModuleBuilder();
+builder.addImport("d8", "quit", kSig_v_v)
+builder.addFunction('do_not_crash', kSig_v_v)
+        .addBody([kExprCallFunction, 0])
+        .exportFunc();
+builder.instantiate({d8: {quit: quit}}).exports.do_not_crash();