[compiler] fix 2 incorrect MakeRef usages in js-heap-broker.cc

1. In ElementAccessFeedback::HasOnlyStringMaps - we can assume the map is safe to read because it was read earlier from the feedback vector and passed the gc predicate then. 2. In JSHeapBroker::GetPropertyAccessInfo - we can assume that the feedback vector in a FeedbackSource is store-ordered/safe to read. Bug: v8:7790, v8:12282 Change-Id: Ie09acdfaac3d5e767ffe74e4bad941d4eeb47f9a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200082 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#77213}

[compiler] fix 2 incorrect MakeRef usages in js-heap-broker.cc
1. In ElementAccessFeedback::HasOnlyStringMaps - we can assume the map is safe to read because it was read earlier from the feedback vector and passed the gc predicate then. 2. In JSHeapBroker::GetPropertyAccessInfo - we can assume that the feedback vector in a FeedbackSource is store-ordered/safe to read. Bug: v8:7790, v8:12282 Change-Id: Ie09acdfaac3d5e767ffe74e4bad941d4eeb47f9a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3200082 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Jakob Gruber <jgruber@chromium.org> Cr-Commit-Position: refs/heads/main@{#77213}
7dc0a549 · Mike Stanton · V8 LUCI CQ · 4fb3eae7 · 7dc0a549
Commit 7dc0a549 authored Oct 04, 2021 by Mike Stanton Committed by V8 LUCI CQ Oct 04, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 2 deletions

js-heap-broker.cc src/compiler/js-heap-broker.cc +9 -2

No files found.
--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@@ -407,7 +407,10 @@ ElementAccessFeedback::ElementAccessFeedback(Zone* zone,
 bool ElementAccessFeedback::HasOnlyStringMaps(JSHeapBroker* broker) const {
  for (auto const& group : transition_groups()) {
    for (Handle<Map> map : group) {
-      if (!MakeRef(broker, map).IsStringMap()) return false;
+      // We assume a memory fence because {map} was read earlier from
+      // the feedback vector and was store ordered on insertion into the
+      // vector.
+      if (!MakeRefAssumeMemoryFence(broker, map).IsStringMap()) return false;
    }
  }
  return true;
@@ -972,9 +975,13 @@ MinimorphicLoadPropertyAccessInfo JSHeapBroker::GetPropertyAccessInfo(
  MinimorphicLoadPropertyAccessInfo access_info =
      factory.ComputePropertyAccessInfo(feedback);
  if (is_concurrent_inlining_) {
+    // We can assume a memory fence on {source.vector} because in production,
+    // the vector has already passed the gc predicate. Unit tests create
+    // FeedbackSource objects directly from handles, but they run on
+    // the main thread.
    TRACE(this, "Storing MinimorphicLoadPropertyAccessInfo for "
                    << source.index() << "  "
-                    << MakeRef<Object>(this, source.vector));
+                    << MakeRefAssumeMemoryFence<Object>(this, source.vector));
    minimorphic_property_access_infos_.insert({source, access_info});
  }
  return access_info;