Revert "[compiler] Consider IsPendingAllocation in Ref construction"

This reverts commit 5f0ac36c. Reason for revert: Seems to be associated with multiple Sanitizer failures: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20stress-incremental-marking/3176 Original change's description: > [compiler] Consider IsPendingAllocation in Ref construction > > The logic in JSHeapBroker::TryGetOrCreateData assumes that parts > of the object are safe to read. In particular, the instance type > must be readable for the chain of `Is##Name()` type checks. > > This is guaranteed if > > - a global memory fence happened after object initialization and > prior to the read by the compiler; or > - the object was published through a release store and read through > an acquire read. > > The former is protected by the new call to ObjectMayBeUninitialized > (which internally calls IsPendingAllocation) in TryGetOrCreateData. > > The latter must be marked explicitly by calling the new > MakeRefAssumeMemoryFence variant. > > Note that support in this CL is expected to be incomplete and will > have to be extended in the future as more cases show up in which > MakeRef calls must be converted to MakeRefAssumeMemoryFence or to > TryMakeRef. > > Bug: v8:7790,v8:11711 > Change-Id: Ic2f7d9fc46e4bfc3f6bbe42816f73fc5ec174337 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874663 > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Cr-Commit-Position: refs/heads/master@{#74474} Bug: v8:7790 Bug: v8:11711 Change-Id: Ia736cd1143da30ca25fdc2c3c1a2056ebf18d596 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2883245 Auto-Submit: Bill Budge <bbudge@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#74484}

Revert "[compiler] Consider IsPendingAllocation in Ref construction"
This reverts commit 5f0ac36c. Reason for revert: Seems to be associated with multiple Sanitizer failures: https://ci.chromium.org/p/v8/builders/ci/V8%20Linux64%20TSAN%20-%20stress-incremental-marking/3176 Original change's description: > [compiler] Consider IsPendingAllocation in Ref construction > > The logic in JSHeapBroker::TryGetOrCreateData assumes that parts > of the object are safe to read. In particular, the instance type > must be readable for the chain of `Is##Name()` type checks. > > This is guaranteed if > > - a global memory fence happened after object initialization and > prior to the read by the compiler; or > - the object was published through a release store and read through > an acquire read. > > The former is protected by the new call to ObjectMayBeUninitialized > (which internally calls IsPendingAllocation) in TryGetOrCreateData. > > The latter must be marked explicitly by calling the new > MakeRefAssumeMemoryFence variant. > > Note that support in this CL is expected to be incomplete and will > have to be extended in the future as more cases show up in which > MakeRef calls must be converted to MakeRefAssumeMemoryFence or to > TryMakeRef. > > Bug: v8:7790,v8:11711 > Change-Id: Ic2f7d9fc46e4bfc3f6bbe42816f73fc5ec174337 > Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2874663 > Commit-Queue: Jakob Gruber <jgruber@chromium.org> > Reviewed-by: Georg Neis <neis@chromium.org> > Cr-Commit-Position: refs/heads/master@{#74474} Bug: v8:7790 Bug: v8:11711 Change-Id: Ia736cd1143da30ca25fdc2c3c1a2056ebf18d596 No-Presubmit: true No-Tree-Checks: true No-Try: true Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2883245 Auto-Submit: Bill Budge <bbudge@chromium.org> Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/heads/master@{#74484}
d23dbf3b · Bill Budge · V8 LUCI CQ · f779fba4 · d23dbf3b · d23dbf3b
Commit d23dbf3b authored May 10, 2021 by Bill Budge Committed by V8 LUCI CQ May 10, 2021
Expand all Hide whitespace changes
Inline Side-by-side

Showing with 77 additions and 128 deletions

heap-refs.cc src/compiler/heap-refs.cc +38 -70

js-heap-broker.cc src/compiler/js-heap-broker.cc +19 -17

js-heap-broker.h src/compiler/js-heap-broker.h +20 -41

No files found.
--- a/src/compiler/heap-refs.cc
+++ b/src/compiler/heap-refs.cc
--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@@ -227,21 +227,27 @@ bool JSHeapBroker::IsArrayOrObjectPrototype(Handle<JSObject> object) const {
         array_and_object_prototypes_.end();
 }

-ObjectData* JSHeapBroker::TryGetOrCreateData(Object object,
-                                             GetOrCreateDataFlags flags) {
-  return TryGetOrCreateData(CanonicalPersistentHandle(object), flags);
-}
-
-ObjectData* JSHeapBroker::GetOrCreateData(Handle<Object> object,
-                                          GetOrCreateDataFlags flags) {
-  ObjectData* return_value = TryGetOrCreateData(object, flags | kCrashOnError);
+ObjectData* JSHeapBroker::TryGetOrCreateData(
+    Object object, bool crash_on_error,
+    ObjectRef::BackgroundSerialization background_serialization) {
+  return TryGetOrCreateData(CanonicalPersistentHandle(object), crash_on_error,
+                            background_serialization);
+}
+
+ObjectData* JSHeapBroker::GetOrCreateData(
+    Handle<Object> object,
+    ObjectRef::BackgroundSerialization background_serialization) {
+  ObjectData* return_value =
+      TryGetOrCreateData(object, true, background_serialization);
  DCHECK_NOT_NULL(return_value);
  return return_value;
 }

-ObjectData* JSHeapBroker::GetOrCreateData(Object object,
-                                          GetOrCreateDataFlags flags) {
-  return GetOrCreateData(CanonicalPersistentHandle(object), flags);
+ObjectData* JSHeapBroker::GetOrCreateData(
+    Object object,
+    ObjectRef::BackgroundSerialization background_serialization) {
+  return GetOrCreateData(CanonicalPersistentHandle(object),
+                         background_serialization);
 }

 bool JSHeapBroker::StackHasOverflowed() const {
@@ -253,12 +259,8 @@ bool JSHeapBroker::StackHasOverflowed() const {
 }

 bool JSHeapBroker::ObjectMayBeUninitialized(Handle<Object> object) const {
-  if (!object->IsHeapObject()) return false;
-  return ObjectMayBeUninitialized(HeapObject::cast(*object));
-}
-
-bool JSHeapBroker::ObjectMayBeUninitialized(HeapObject object) const {
-  return !IsMainThread() && isolate()->heap()->IsPendingAllocation(object);
+  return !IsMainThread() && object->IsHeapObject() &&
+         isolate()->heap()->IsPendingAllocation(HeapObject::cast(*object));
 }

 bool CanInlineElementAccess(MapRef const& map) {

--- a/src/compiler/js-heap-broker.h
+++ b/src/compiler/js-heap-broker.h
@@ -79,21 +79,6 @@ struct PropertyAccessTarget {
  };
 };

-enum GetOrCreateDataFlag {
-  // If set, a failure to create the data object results in a crash.
-  kCrashOnError = 1 << 0,
-  // If set, data construction assumes that the given object is protected by
-  // a memory fence (e.g. acquire-release) and thus fields required for
-  // construction (like Object::map) are safe to read. The protection can
-  // extend to some other situations as well.
-  kAssumeMemoryFence = 1 << 1,
-  // Whether background serialization is allowed (only used for
-  // kPossiblyBackgroundSerialized refs).
-  kAllowBackgroundSerialization = 1 << 2,
-};
-using GetOrCreateDataFlags = base::Flags<GetOrCreateDataFlag>;
-DEFINE_OPERATORS_FOR_FLAGS(GetOrCreateDataFlags)
-
 class V8_EXPORT_PRIVATE JSHeapBroker {
 public:
  JSHeapBroker(Isolate* isolate, Zone* broker_zone, bool tracing_enabled,
@@ -166,16 +151,25 @@ class V8_EXPORT_PRIVATE JSHeapBroker {
  Handle<Object> GetRootHandle(Object object);

  // Never returns nullptr.
-  ObjectData* GetOrCreateData(Handle<Object> object,
-                              GetOrCreateDataFlags flags = {});
-  ObjectData* GetOrCreateData(Object object, GetOrCreateDataFlags flags = {});
+  ObjectData* GetOrCreateData(
+      Handle<Object>,
+      ObjectRef::BackgroundSerialization background_serialization =
+          ObjectRef::BackgroundSerialization::kDisallowed);
+  // Like the previous but wraps argument in handle first (for convenience).
+  ObjectData* GetOrCreateData(
+      Object, ObjectRef::BackgroundSerialization background_serialization =
+                  ObjectRef::BackgroundSerialization::kDisallowed);

  // Gets data only if we have it. However, thin wrappers will be created for
  // smis, read-only objects and never-serialized objects.
-  ObjectData* TryGetOrCreateData(Handle<Object> object,
-                                 GetOrCreateDataFlags flags = {});
-  ObjectData* TryGetOrCreateData(Object object,
-                                 GetOrCreateDataFlags flags = {});
+  ObjectData* TryGetOrCreateData(
+      Handle<Object>, bool crash_on_error = false,
+      ObjectRef::BackgroundSerialization background_serialization =
+          ObjectRef::BackgroundSerialization::kDisallowed);
+  ObjectData* TryGetOrCreateData(
+      Object object, bool crash_on_error = false,
+      ObjectRef::BackgroundSerialization background_serialization =
+          ObjectRef::BackgroundSerialization::kDisallowed);

  // Check if {object} is any native context's %ArrayPrototype% or
  // %ObjectPrototype%.
@@ -397,7 +391,6 @@ class V8_EXPORT_PRIVATE JSHeapBroker {
  // thus safe to read from a memory safety perspective. The converse does not
  // necessarily hold.
  bool ObjectMayBeUninitialized(Handle<Object> object) const;
-  bool ObjectMayBeUninitialized(HeapObject object) const;

  bool CanUseFeedback(const FeedbackNexus& nexus) const;
  const ProcessedFeedback& NewInsufficientFeedback(FeedbackSlotKind kind) const;
@@ -587,8 +580,8 @@ class V8_NODISCARD UnparkedScopeIfNeeded {
 template <class T,
          typename = std::enable_if_t<std::is_convertible<T*, Object*>::value>>
 base::Optional<typename ref_traits<T>::ref_type> TryMakeRef(
-    JSHeapBroker* broker, T object, GetOrCreateDataFlags flags = {}) {
-  ObjectData* data = broker->TryGetOrCreateData(object, flags);
+    JSHeapBroker* broker, T object) {
+  ObjectData* data = broker->TryGetOrCreateData(object);
  if (data == nullptr) {
    TRACE_BROKER_MISSING(broker, "ObjectData for " << Brief(object));
    return {};
@@ -599,8 +592,8 @@ base::Optional<typename ref_traits<T>::ref_type> TryMakeRef(
 template <class T,
          typename = std::enable_if_t<std::is_convertible<T*, Object*>::value>>
 base::Optional<typename ref_traits<T>::ref_type> TryMakeRef(
-    JSHeapBroker* broker, Handle<T> object, GetOrCreateDataFlags flags = {}) {
-  ObjectData* data = broker->TryGetOrCreateData(object, flags);
+    JSHeapBroker* broker, Handle<T> object) {
+  ObjectData* data = broker->TryGetOrCreateData(object);
  if (data == nullptr) {
    TRACE_BROKER_MISSING(broker, "ObjectData for " << Brief(*object));
    return {};
@@ -621,20 +614,6 @@ typename ref_traits<T>::ref_type MakeRef(JSHeapBroker* broker,
  return TryMakeRef(broker, object).value();
 }

-template <class T,
-          typename = std::enable_if_t<std::is_convertible<T*, Object*>::value>>
-typename ref_traits<T>::ref_type MakeRefAssumeMemoryFence(JSHeapBroker* broker,
-                                                          T object) {
-  return TryMakeRef(broker, object, kAssumeMemoryFence).value();
-}
-
-template <class T,
-          typename = std::enable_if_t<std::is_convertible<T*, Object*>::value>>
-typename ref_traits<T>::ref_type MakeRefAssumeMemoryFence(JSHeapBroker* broker,
-                                                          Handle<T> object) {
-  return TryMakeRef(broker, object, kAssumeMemoryFence).value();
-}
-
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8