cppgc: Avoid recursive conservative tracing

Conservative tracing of an in construction objects might enter an infinite recursion if the object holds a reference to itself. The second time we try to trace the object it will be already marked and we can bail out of tracing it again. Bug: chromium:1056170 Change-Id: I74e99ca70c83f00d47299562d291adf7ba4a5808 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2715065 Commit-Queue: Omer Katz <omerkatz@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#72979}

cppgc: Avoid recursive conservative tracing
Conservative tracing of an in construction objects might enter an infinite recursion if the object holds a reference to itself. The second time we try to trace the object it will be already marked and we can bail out of tracing it again. Bug: chromium:1056170 Change-Id: I74e99ca70c83f00d47299562d291adf7ba4a5808 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2715065 Commit-Queue: Omer Katz <omerkatz@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#72979}
85fe3d37 · Omer Katz · Commit Bot · 25bc6854 · 85fe3d37 · 85fe3d37
Commit 85fe3d37 authored Feb 23, 2021 by Omer Katz Committed by Commit Bot Feb 23, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

marking-verifier.cc src/heap/cppgc/marking-verifier.cc +3 -0

marking-visitor.cc src/heap/cppgc/marking-visitor.cc +3 -1

No files found.
--- a/src/heap/cppgc/marking-verifier.cc
+++ b/src/heap/cppgc/marking-verifier.cc
@@ -45,6 +45,9 @@ void VerificationState::VerifyMarked(const void* base_object_payload) const {
 void MarkingVerifierBase::VisitInConstructionConservatively(
    HeapObjectHeader& header, TraceConservativelyCallback callback) {
  CHECK(header.IsMarked());
+  if (in_construction_objects_->find(&header) !=
+      in_construction_objects_->end())
+    return;
  in_construction_objects_->insert(&header);
  callback(this, header);
 }

--- a/src/heap/cppgc/marking-visitor.cc
+++ b/src/heap/cppgc/marking-visitor.cc
@@ -65,7 +65,9 @@ void ConservativeMarkingVisitor::VisitFullyConstructedConservatively(
 void ConservativeMarkingVisitor::VisitInConstructionConservatively(
    HeapObjectHeader& header, TraceConservativelyCallback callback) {
  DCHECK(!marking_state_.IsMarkedWeakContainer(header));
-  marking_state_.MarkNoPush(header);
+  // In construction objects found through conservative can be marked if they
+  // hold a reference to themselves.
+  if (!marking_state_.MarkNoPush(header)) return;
  marking_state_.AccountMarkedBytes(header);
  callback(this, header);
 }