[wasm] fix for GC during instantiation.

BUG=chromium:651070 Review-Url: https://codereview.chromium.org/2371403003 Cr-Commit-Position: refs/heads/master@{#39848}

[wasm] fix for GC during instantiation.
BUG=chromium:651070 Review-Url: https://codereview.chromium.org/2371403003 Cr-Commit-Position: refs/heads/master@{#39848}
aff5ab11 · mtrofin · Commit bot · 37687e31 · aff5ab11 · aff5ab11
Commit aff5ab11 authored Sep 29, 2016 by mtrofin Committed by Commit bot Sep 29, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 138 additions and 10 deletions

wasm-module.cc src/wasm/wasm-module.cc +31 -10

regression-02862.js test/mjsunit/regress/wasm/regression-02862.js +107 -0

No files found.
--- a/src/wasm/wasm-module.cc
+++ b/src/wasm/wasm-module.cc
@@ -1255,6 +1255,11 @@ MaybeHandle<JSObject> WasmModule::Instantiate(Isolate* isolate,
  Handle<FixedArray> code_table;
  Handle<FixedArray> old_code_table;
  Handle<JSObject> owner;
+  // If we don't clone, this will be null(). Otherwise, this will
+  // be a weak link to the original. If we lose the original to GC,
+  // this will be a cleared. We'll link the instances chain last.
+  MaybeHandle<WeakCell> link_to_original;
+
  {
    Handle<FixedArray> original(
        FixedArray::cast(module_object->GetInternalField(0)), isolate);
@@ -1265,20 +1270,24 @@ MaybeHandle<JSObject> WasmModule::Instantiate(Isolate* isolate,

    WeakCell* tmp = GetOwningInstance(*original);
    if (tmp != nullptr) {
+      DCHECK(!tmp->cleared());
      // There is already an owner, clone everything.
      owner = Handle<JSObject>(JSObject::cast(tmp->value()), isolate);
      // Insert the latest clone in front.
      compiled_module = factory->CopyFixedArray(original);
+      // Replace the strong reference to point to the new instance here.
+      // This allows any of the other instances, including the original,
+      // to be collected.
+      module_object->SetInternalField(0, *compiled_module);
      Handle<WeakCell> weak_link_to_wasm_obj =
          original->GetValueChecked<WeakCell>(isolate, kModuleObject);

      compiled_module->set(kModuleObject, *weak_link_to_wasm_obj);
-      Handle<WeakCell> link_to_original = factory->NewWeakCell(original);
-      compiled_module->set(kNextInstance, *link_to_original);
-      Handle<WeakCell> link_to_clone = factory->NewWeakCell(compiled_module);
-      original->set(kPrevInstance, *link_to_clone);
-      JSObject::cast(weak_link_to_wasm_obj->value())
-          ->SetInternalField(0, *compiled_module);
+      link_to_original = factory->NewWeakCell(original);
+      // Don't link to original here. We remember the original
+      // as a weak link. If that link isn't clear by the time we finish
+      // instantiating this instance, then we link it at that time.
+      compiled_module->set(kNextInstance, *factory->undefined_value());

      // Clone the code for WASM functions and exports.
      for (int i = 0; i < code_table->length(); ++i) {
@@ -1583,12 +1592,24 @@ MaybeHandle<JSObject> WasmModule::Instantiate(Isolate* isolate,
  if (!compiled_module->GetValue<WeakCell>(isolate, kModuleObject).is_null()) {
    instance->SetInternalField(kWasmCompiledModule, *compiled_module);
    Handle<WeakCell> link_to_owner = factory->NewWeakCell(instance);
-    compiled_module->set(kOwningInstance, *link_to_owner);

    Handle<Object> global_handle = isolate->global_handles()->Create(*instance);
-    GlobalHandles::MakeWeak(global_handle.location(), global_handle.location(),
-                            &InstanceFinalizer,
-                            v8::WeakCallbackType::kFinalizer);
+    Handle<WeakCell> link_to_clone = factory->NewWeakCell(compiled_module);
+    {
+      DisallowHeapAllocation no_gc;
+      compiled_module->set(kOwningInstance, *link_to_owner);
+      Handle<WeakCell> next;
+      if (link_to_original.ToHandle(&next) && !next->cleared()) {
+        FixedArray* original = FixedArray::cast(next->value());
+        DCHECK_NOT_NULL(GetOwningInstance(original));
+        DCHECK(!GetOwningInstance(original)->cleared());
+        compiled_module->set(kNextInstance, *next);
+        original->set(kPrevInstance, *link_to_clone);
+      }
+      GlobalHandles::MakeWeak(global_handle.location(),
+                              global_handle.location(), &InstanceFinalizer,
+                              v8::WeakCallbackType::kFinalizer);
+    }
  }

  return instance;

--- a/test/mjsunit/regress/wasm/regression-02862.js
+++ b/test/mjsunit/regress/wasm/regression-02862.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --random-seed=1557792826 --expose-gc --invoke-weak-callbacks --omit-quit --gc-interval=469 --validate-asm
+
+function nop() {}
+var __v_42 = {};
+var __v_49 = {};
+var __v_70 = {};
+var __v_79 = {};
+__v_58 = {
+  instantiateModuleFromAsm: function(text, ffi, heap) {
+    var __v_49 = eval('(' + text + ')');
+    if (nop()) {
+      throw "validate failure";
+    }
+    var __v_79 = __v_49();
+    if (nop()) {
+      throw "bad module args";
+    }
+  }};
+__f_140 = function __f_140() {
+  if (found === expected) {
+    if (1 / expected) return;
+  } else if ((expected !== expected) && (found !== found)) { return; };
+};
+__f_128 = function __f_128() { if (!__f_105()) { __f_125(__f_69(), found, name_opt); } };
+__f_136 = function __f_136(code, type_opt, cause_opt) {
+  var __v_42 = true;
+  try {
+    if (typeof code == 'function') { code(); }
+    else { eval(); }
+    __v_42 = false;
+  } catch (e) {
+    if (typeof type_opt == 'function') { __f_101(); }
+    if (arguments.length >= 3) { __f_128(); }
+    return;
+  }
+};
+__f_101 = function __f_101() { if (obj instanceof type) {obj.constructor; if (typeof __v_57 == "function") {; }; } };
+try {
+__f_128();
+__v_82.__p_750895751 = __v_82[getRandomProperty()];
+} catch(e) {"Caught: " + e; }
+__f_119();
+gc();
+__f_119(19, __f_136);
+__f_119();
+__f_119();
+__f_136(function() {
+  __v_58.instantiateModuleFromAsm(__f_128.toString()).__f_108();
+});
+function __f_119() {
+  "use asm";
+  function __f_108() {
+  }
+  return {__f_108: __f_108};
+}
+__f_119();
+__f_119();
+__f_119();
+function __f_95() {
+}
+__f_119();
+try {
+__f_119();
+__f_135();
+} catch(e) {"Caught: " + e; }
+__f_119();
+__f_119();
+__f_119();
+function __f_105() {
+  "use asm";
+  function __f_108() {
+  }
+  return {__f_108: __f_108};
+}
+__f_119();
+__f_119();
+__f_119();
+__f_119();
+__f_119();
+__f_119();
+__f_119();
+function __f_93(stdlib) {
+  "use asm";
+  var __v_70 = new stdlib.Int32Array();
+__v_70[4294967295]|14 + 1 | 14;
+  return {__f_108: __f_108};
+}
+function __f_135() {
+  var __v_66 = new ArrayBuffer();
+  var __v_54 = new Int32Array(__v_66);
+  var module = __v_58.instantiateModuleFromAsm( __f_93.toString());
+  __f_128();
+}
+(function () {
+})();
+(function () {
+})();
+try {
+(function() {
+      var __v_54 = 0x87654321;
+ __v_66.__f_89();
+})();
+} catch(e) {; }