[runtime] Enable basic Context extension slot verification.

Bug: v8:12298, chromium:1244145 Change-Id: Ic97fea06cd3ede330ad7c67c00bfb567006c3ac4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3211891 Auto-Submit: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#77336}

[runtime] Enable basic Context extension slot verification.
Bug: v8:12298, chromium:1244145 Change-Id: Ic97fea06cd3ede330ad7c67c00bfb567006c3ac4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3211891 Auto-Submit: Camillo Bruni <cbruni@chromium.org> Reviewed-by: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#77336}
ad89fd9f · Camillo Bruni · V8 LUCI CQ · 05056b27 · ad89fd9f · ad89fd9f
Commit ad89fd9f authored Oct 11, 2021 by Camillo Bruni Committed by V8 LUCI CQ Oct 12, 2021
4 changed files
--- a/src/objects/contexts-inl.h
+++ b/src/objects/contexts-inl.h
@@ -141,14 +141,6 @@ HeapObject Context::extension() const {
  return HeapObject::cast(get(EXTENSION_INDEX));
 }

-void Context::set_extension(HeapObject object, WriteBarrierMode mode) {
-  DCHECK(scope_info().HasContextExtensionSlot());
-#ifdef VERIFY_HEAP
-  VerifyExtensionSlot(object);
-#endif
-  set(EXTENSION_INDEX, object, mode);
-}
-
 NativeContext Context::native_context() const {
  return this->map().native_context();
 }

--- a/src/objects/contexts.cc
+++ b/src/objects/contexts.cc
@@ -443,22 +443,46 @@ int Context::IntrinsicIndexForName(const unsigned char* unsigned_string,
 #undef COMPARE_NAME

 #ifdef VERIFY_HEAP
+namespace {
+// TODO(v8:12298): Fix js-context-specialization cctests to set up full
+// native contexts instead of using dummy internalized strings as
+// extensions.
+bool IsContexExtensionTestObject(HeapObject extension) {
+  return extension.IsInternalizedString() &&
+         String::cast(extension).length() == 1;
+}
+}  // namespace
+
 void Context::VerifyExtensionSlot(HeapObject extension) {
  CHECK(scope_info().HasContextExtensionSlot());
+  // Early exit for potentially uninitialized contexfts.
  if (extension.IsUndefined()) return;
-  if (IsModuleContext()) {
-    extension.IsSourceTextModule();
+  if (extension.IsJSContextExtensionObject()) {
+    CHECK((IsBlockContext() && scope_info().is_declaration_scope()) ||
+          IsFunctionContext());
+  } else if (IsModuleContext()) {
+    CHECK(extension.IsSourceTextModule());
  } else if (IsDebugEvaluateContext() || IsWithContext()) {
-    extension.IsJSReceiver();
+    CHECK(extension.IsJSReceiver() ||
+          (IsWithContext() && IsContexExtensionTestObject(extension)));
  } else if (IsNativeContext()) {
-    extension.IsJSGlobalObject();
-  } else if ((IsBlockContext() && scope_info().is_declaration_scope()) ||
-             IsFunctionContext()) {
-    extension.IsJSContextExtensionObject();
+    CHECK(extension.IsJSGlobalObject() ||
+          IsContexExtensionTestObject(extension));
+  } else if (IsScriptContext()) {
+    // Host-defined options can be stored on the context for classic scripts.
+    CHECK(extension.IsFixedArray());
  }
 }
 #endif  // VERIFY_HEAP

+void Context::set_extension(HeapObject object, WriteBarrierMode mode) {
+  DCHECK(scope_info().HasContextExtensionSlot());
+#ifdef VERIFY_HEAP
+  VerifyExtensionSlot(object);
+#endif
+  set(EXTENSION_INDEX, object, mode);
+}
+
 #ifdef DEBUG

 bool Context::IsBootstrappingOrValidParentContext(Object object,

--- a/src/objects/contexts.h
+++ b/src/objects/contexts.h
@@ -568,8 +568,8 @@ class Context : public TorqueGeneratedContext<Context, HeapObject> {

  inline bool has_extension() const;
  inline HeapObject extension() const;
-  inline void set_extension(HeapObject object,
-                            WriteBarrierMode mode = UPDATE_WRITE_BARRIER);
+  V8_EXPORT_PRIVATE void set_extension(
+      HeapObject object, WriteBarrierMode mode = UPDATE_WRITE_BARRIER);
  JSObject extension_object() const;
  JSReceiver extension_receiver() const;
  V8_EXPORT_PRIVATE inline ScopeInfo scope_info() const;
@@ -672,7 +672,7 @@ class Context : public TorqueGeneratedContext<Context, HeapObject> {
  class BodyDescriptor;

 #ifdef VERIFY_HEAP
-  void VerifyExtensionSlot(HeapObject extension);
+  V8_EXPORT_PRIVATE void VerifyExtensionSlot(HeapObject extension);
 #endif

 private:

--- a/test/cctest/compiler/test-js-context-specialization.cc
+++ b/test/cctest/compiler/test-js-context-specialization.cc
@@ -12,6 +12,7 @@
 #include "src/compiler/node-properties.h"
 #include "src/compiler/simplified-operator.h"
 #include "src/heap/factory.h"
+#include "src/objects/contexts.h"
 #include "src/objects/objects-inl.h"
 #include "src/objects/property.h"
 #include "test/cctest/cctest.h"
@@ -281,8 +282,8 @@ TEST(ReduceJSLoadContext2) {
  Handle<Context> context_object0 = t.factory()->NewNativeContext();
  Handle<Context> context_object1 =
      NewContextForTesting(t.isolate(), context_object0);
-  context_object0->set(Context::EXTENSION_INDEX, *slot_value0);
-  context_object1->set(Context::EXTENSION_INDEX, *slot_value1);
+  context_object0->set_extension(*slot_value0);
+  context_object1->set_extension(*slot_value1);

  Node* context0 = t.jsgraph()->Constant(MakeRef(t.broker(), context_object1));
  Node* context1 =
@@ -358,8 +359,8 @@ TEST(ReduceJSLoadContext3) {
  Handle<Context> context_object0 = factory->NewNativeContext();
  Handle<Context> context_object1 =
      NewContextForTesting(isolate, context_object0);
-  context_object0->set(Context::EXTENSION_INDEX, *slot_value0);
-  context_object1->set(Context::EXTENSION_INDEX, *slot_value1);
+  context_object0->set_extension(*slot_value0);
+  context_object1->set_extension(*slot_value1);

  ContextSpecializationTester t(Just(OuterContext(context_object1, 0)));

@@ -549,8 +550,8 @@ TEST(ReduceJSStoreContext2) {
  Handle<Context> context_object0 = t.factory()->NewNativeContext();
  Handle<Context> context_object1 =
      NewContextForTesting(t.isolate(), context_object0);
-  context_object0->set(Context::EXTENSION_INDEX, *slot_value0);
-  context_object1->set(Context::EXTENSION_INDEX, *slot_value1);
+  context_object0->set_extension(*slot_value0);
+  context_object1->set_extension(*slot_value1);

  Node* context0 = t.jsgraph()->Constant(MakeRef(t.broker(), context_object1));
  Node* context1 =
@@ -598,8 +599,8 @@ TEST(ReduceJSStoreContext3) {
  Handle<Context> context_object0 = factory->NewNativeContext();
  Handle<Context> context_object1 =
      NewContextForTesting(isolate, context_object0);
-  context_object0->set(Context::EXTENSION_INDEX, *slot_value0);
-  context_object1->set(Context::EXTENSION_INDEX, *slot_value1);
+  context_object0->set_extension(*slot_value0);
+  context_object1->set_extension(*slot_value1);

  ContextSpecializationTester t(Just(OuterContext(context_object1, 0)));