[heap] Fix race in MemoryChunk protection logic

... when allocating Code objects from background thread. Bug: chromium:1329012, chromium:1330887 Change-Id: Ia2731ba463381c826d14591f4ba3b3fe15d15a0b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688517 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/main@{#80948}

[heap] Fix race in MemoryChunk protection logic
... when allocating Code objects from background thread. Bug: chromium:1329012, chromium:1330887 Change-Id: Ia2731ba463381c826d14591f4ba3b3fe15d15a0b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688517 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/main@{#80948}
a4d12a86 · Igor Sheludko · V8 LUCI CQ · 620388b1 · a4d12a86 · a4d12a86
Commit a4d12a86 authored Jun 03, 2022 by Igor Sheludko Committed by V8 LUCI CQ Jun 03, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 13 deletions

heap-inl.h src/heap/heap-inl.h +1 -4

heap.cc src/heap/heap.cc +10 -1

heap.h src/heap/heap.h +0 -8

No files found.
--- a/src/heap/heap-inl.h
+++ b/src/heap/heap-inl.h
@@ -651,10 +651,7 @@ CodePageCollectionMemoryModificationScope::
 CodePageCollectionMemoryModificationScope::
    ~CodePageCollectionMemoryModificationScope() {
  if (heap_->write_protect_code_memory()) {
-    heap_->DecrementCodePageCollectionMemoryModificationScopeDepth();
+    heap_->ProtectUnprotectedMemoryChunks();
-    if (heap_->code_page_collection_memory_modification_scope_depth() == 0) {
-      heap_->ProtectUnprotectedMemoryChunks();
-    }
  }
 }

--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -2768,8 +2768,12 @@ void Heap::ComputeFastPromotionMode() {
 void Heap::UnprotectAndRegisterMemoryChunk(MemoryChunk* chunk,
                                           UnprotectMemoryOrigin origin) {
  if (!write_protect_code_memory()) return;
+  base::MutexGuard guard(&unprotected_memory_chunks_mutex_);
+  // CodePageCollectionMemoryModificationScope can be used in multiple threads,
+  // so we have to check its depth behind the lock.
  if (code_page_collection_memory_modification_scope_depth_ > 0) {
-    base::MutexGuard guard(&unprotected_memory_chunks_mutex_);
    if (unprotected_memory_chunks_.insert(chunk).second) {
      chunk->SetCodeModificationPermissions();
    }
@@ -2790,6 +2794,11 @@ void Heap::UnregisterUnprotectedMemoryChunk(MemoryChunk* chunk) {
 void Heap::ProtectUnprotectedMemoryChunks() {
  base::MutexGuard guard(&unprotected_memory_chunks_mutex_);
+  // CodePageCollectionMemoryModificationScope can be used in multiple threads,
+  // so we have to check its depth behind the lock.
+  if (--code_page_collection_memory_modification_scope_depth_ > 0) return;
  for (auto chunk = unprotected_memory_chunks_.begin();
       chunk != unprotected_memory_chunks_.end(); chunk++) {
    DCHECK(memory_allocator()->IsMemoryChunkExecutable(*chunk));

--- a/src/heap/heap.h
+++ b/src/heap/heap.h
@@ -675,14 +675,6 @@ class Heap {
    code_page_collection_memory_modification_scope_depth_++;
  }
-  void DecrementCodePageCollectionMemoryModificationScopeDepth() {
-    code_page_collection_memory_modification_scope_depth_--;
-  }
-  uintptr_t code_page_collection_memory_modification_scope_depth() {
-    return code_page_collection_memory_modification_scope_depth_;
-  }
  inline HeapState gc_state() const {
    return gc_state_.load(std::memory_order_relaxed);
  }