cppgc: Fix {Weak}CrossThreadPersistent destruction

Bug: chromium:1056170 Change-Id: I89dd887a75a475f998d950e86f35c7fe2af5d67f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2743887Reviewed-by: Omer Katz <omerkatz@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#73307}

cppgc: Fix {Weak}CrossThreadPersistent destruction
Bug: chromium:1056170 Change-Id: I89dd887a75a475f998d950e86f35c7fe2af5d67f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2743887Reviewed-by: Omer Katz <omerkatz@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#73307}
ce336fdb · Michael Lippautz · Commit Bot · 0defc528 · ce336fdb · ce336fdb
Commit ce336fdb authored Mar 09, 2021 by Michael Lippautz Committed by Commit Bot Mar 09, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 12 deletions

cross-thread-persistent.h include/cppgc/cross-thread-persistent.h +26 -12

persistent-node.h include/cppgc/internal/persistent-node.h +1 -0

No files found.
--- a/include/cppgc/cross-thread-persistent.h
+++ b/include/cppgc/cross-thread-persistent.h
@@ -192,10 +192,17 @@ class BasicCrossThreadPersistent final : public PersistentBase,
    const void* old_value = GetValue();
    if (IsValid(old_value)) {
      PersistentRegionLock guard;
-      CrossThreadPersistentRegion& region =
-          this->GetPersistentRegion(old_value);
-      region.FreeNode(GetNode());
-      SetNode(nullptr);
+      old_value = GetValue();
+      // The fast path check (IsValid()) does not acquire the lock. Reload
+      // the value to ensure the reference has not been cleared.
+      if (IsValid(old_value)) {
+        CrossThreadPersistentRegion& region =
+            this->GetPersistentRegion(old_value);
+        region.FreeNode(GetNode());
+        SetNode(nullptr);
+      } else {
+        CPPGC_DCHECK(!GetNode());
+      }
    }
    SetValue(nullptr);
  }
@@ -277,15 +284,22 @@ class BasicCrossThreadPersistent final : public PersistentBase,
    const void* old_value = GetValue();
    if (IsValid(old_value)) {
      PersistentRegionLock guard;
-      CrossThreadPersistentRegion& region =
-          this->GetPersistentRegion(old_value);
-      if (IsValid(ptr) && (&region == &this->GetPersistentRegion(ptr))) {
-        SetValue(ptr);
-        this->CheckPointer(ptr);
-        return;
+      old_value = GetValue();
+      // The fast path check (IsValid()) does not acquire the lock. Reload
+      // the value to ensure the reference has not been cleared.
+      if (IsValid(old_value)) {
+        CrossThreadPersistentRegion& region =
+            this->GetPersistentRegion(old_value);
+        if (IsValid(ptr) && (&region == &this->GetPersistentRegion(ptr))) {
+          SetValue(ptr);
+          this->CheckPointer(ptr);
+          return;
+        }
+        region.FreeNode(GetNode());
+        SetNode(nullptr);
+      } else {
+        CPPGC_DCHECK(!GetNode());
      }
-      region.FreeNode(GetNode());
-      SetNode(nullptr);
    }
    SetValue(ptr);
    if (!IsValid(ptr)) return;

--- a/include/cppgc/internal/persistent-node.h
+++ b/include/cppgc/internal/persistent-node.h
@@ -99,6 +99,7 @@ class V8_EXPORT PersistentRegion final {
  }

  void FreeNode(PersistentNode* node) {
+    CPPGC_DCHECK(node);
    CPPGC_DCHECK(node->IsUsed());
    node->InitializeAsFreeNode(free_list_head_);
    free_list_head_ = node;