[heap, runtime] Do not invalidate all slots in DeleteObjectPropertyFast

When deleting a JSObject's last property, only that particular slot in the old-to-new rememebered set needs to be deleted. The object's slots don't need to be invalidated anymore since V8 doesn't use unboxed doubles anymore. While the runtime could install another property at this address, it will therefore always be a tagged pointer. Bug: v8:12578, chromium:1316289 Change-Id: Ief072f58e53501c1c1f01c902e21467a37ccdc3c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3620274 Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#80303}

[heap, runtime] Do not invalidate all slots in DeleteObjectPropertyFast
When deleting a JSObject's last property, only that particular slot in the old-to-new rememebered set needs to be deleted. The object's slots don't need to be invalidated anymore since V8 doesn't use unboxed doubles anymore. While the runtime could install another property at this address, it will therefore always be a tagged pointer. Bug: v8:12578, chromium:1316289 Change-Id: Ief072f58e53501c1c1f01c902e21467a37ccdc3c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3620274 Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Camillo Bruni <cbruni@chromium.org> Cr-Commit-Position: refs/heads/main@{#80303}
d489e88c · Dominik Inführ · V8 LUCI CQ · 9b782823 · d489e88c · d489e88c
Commit d489e88c authored May 02, 2022 by Dominik Inführ Committed by V8 LUCI CQ May 02, 2022
Showing with 8 additions and 26 deletions

heap.cc src/heap/heap.cc +7 -0

memory-chunk.cc src/heap/memory-chunk.cc +1 -17

memory-chunk.h src/heap/memory-chunk.h +0 -1

runtime-object.cc src/runtime/runtime-object.cc +0 -8

No files found.
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -6435,7 +6435,14 @@ void Heap::ClearRecordedSlot(HeapObject object, ObjectSlot slot) {
  if (!page->InYoungGeneration()) {
    DCHECK_EQ(page->owner_identity(), OLD_SPACE);

+    // We only need to remove that slot when sweeping is still in progress.
+    // Because in that case, a concurrent sweeper could find that memory and
+    // reuse it for subsequent allocations. The runtime could install another
+    // property at this slot but without unboxed doubles this will always be a
+    // tagged pointer.
    if (!page->SweepingDone()) {
+      // No need to update old-to-old here since that remembered set is gone
+      // after a full GC and not re-recorded until sweeping is finished.
      RememberedSet<OLD_TO_NEW>::Remove(page, slot.address());
    }
  }

--- a/src/heap/memory-chunk.cc
+++ b/src/heap/memory-chunk.cc
@@ -378,6 +378,7 @@ template V8_EXPORT_PRIVATE void MemoryChunk::RegisterObjectWithInvalidatedSlots<

 template <RememberedSetType type>
 void MemoryChunk::RegisterObjectWithInvalidatedSlots(HeapObject object) {
+  DCHECK(!object.IsJSReceiver());
  bool skip_slot_recording;

  switch (type) {
@@ -408,23 +409,6 @@ void MemoryChunk::RegisterObjectWithInvalidatedSlots(HeapObject object) {
  invalidated_slots<type>()->insert(object);
 }

-void MemoryChunk::InvalidateRecordedSlots(HeapObject object) {
-  if (V8_DISABLE_WRITE_BARRIERS_BOOL) return;
-  if (heap()->incremental_marking()->IsCompacting()) {
-    // We cannot check slot_set_[OLD_TO_OLD] here, since the
-    // concurrent markers might insert slots concurrently.
-    RegisterObjectWithInvalidatedSlots<OLD_TO_OLD>(object);
-  }
-
-  if (slot_set_[OLD_TO_NEW] != nullptr) {
-    RegisterObjectWithInvalidatedSlots<OLD_TO_NEW>(object);
-  }
-
-  if (slot_set_[OLD_TO_SHARED] != nullptr) {
-    RegisterObjectWithInvalidatedSlots<OLD_TO_SHARED>(object);
-  }
-}
-
 template bool MemoryChunk::RegisteredObjectWithInvalidatedSlots<OLD_TO_NEW>(
    HeapObject object);
 template bool MemoryChunk::RegisteredObjectWithInvalidatedSlots<OLD_TO_OLD>(

--- a/src/heap/memory-chunk.h
+++ b/src/heap/memory-chunk.h
@@ -144,7 +144,6 @@ class MemoryChunk : public BasicMemoryChunk {
  void ReleaseInvalidatedSlots();
  template <RememberedSetType type>
  V8_EXPORT_PRIVATE void RegisterObjectWithInvalidatedSlots(HeapObject object);
-  void InvalidateRecordedSlots(HeapObject object);
  template <RememberedSetType type>
  bool RegisteredObjectWithInvalidatedSlots(HeapObject object);
  template <RememberedSetType type>

--- a/src/runtime/runtime-object.cc
+++ b/src/runtime/runtime-object.cc
@@ -207,20 +207,12 @@ bool DeleteObjectPropertyFast(Isolate* isolate, Handle<JSReceiver> receiver,
      receiver->SetProperties(ReadOnlyRoots(isolate).empty_fixed_array());
    } else {
      ClearField(isolate, JSObject::cast(*receiver), index);
-      // We must clear any recorded slot for the deleted property, because
-      // subsequent object modifications might put a raw double there.
-      // Slot clearing is the reason why this entire function cannot currently
-      // be implemented in the DeleteProperty stub.
      if (index.is_inobject()) {
        // We need to clear the recorded slot in this case because in-object
        // slack tracking might not be finished. This ensures that we don't
        // have recorded slots in free space.
        isolate->heap()->ClearRecordedSlot(*receiver,
                                           receiver->RawField(index.offset()));
-        if (!FLAG_enable_third_party_heap) {
-          MemoryChunk* chunk = MemoryChunk::FromHeapObject(*receiver);
-          chunk->InvalidateRecordedSlots(*receiver);
-        }
      }
    }
  }