[compiler] Fix a bug in GetOwnFastDataPropertyFromHeap

We can't create Refs inside a DisallowGarbageCollection scope since the MapData constructor uses a parking mutex (which may park the local heap and let GC run). Bug: v8:11957, v8:7790 Change-Id: I300b76a15f0f63514ca049f78099e1e6125a6569 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3010281Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#75609}

[compiler] Fix a bug in GetOwnFastDataPropertyFromHeap
We can't create Refs inside a DisallowGarbageCollection scope since the MapData constructor uses a parking mutex (which may park the local heap and let GC run). Bug: v8:11957, v8:7790 Change-Id: I300b76a15f0f63514ca049f78099e1e6125a6569 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3010281Reviewed-by: Michael Stanton <mvstanton@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#75609}
e2a4515c · Georg Neis · V8 LUCI CQ · 3e97ebdc · e2a4515c
Commit e2a4515c authored Jul 07, 2021 by Georg Neis Committed by V8 LUCI CQ Jul 07, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 15 deletions

heap-refs.cc src/compiler/heap-refs.cc +12 -15

No files found.
--- a/src/compiler/heap-refs.cc
+++ b/src/compiler/heap-refs.cc
@@ -537,7 +537,7 @@ base::Optional<ObjectRef> GetOwnElementFromHeap(JSHeapBroker* broker,
 base::Optional<ObjectRef> GetOwnFastDataPropertyFromHeap(
    JSHeapBroker* broker, JSObjectRef holder, Representation representation,
    FieldIndex field_index) {
-  base::Optional<ObjectRef> value;
+  base::Optional<Object> constant;
  {
    DisallowGarbageCollection no_gc;
@@ -552,7 +552,6 @@ base::Optional<ObjectRef> GetOwnFastDataPropertyFromHeap(
      return {};
    }
-    base::Optional<Object> constant;
    if (field_index.is_inobject()) {
      constant = holder.object()->RawInobjectPropertyAt(map, field_index);
      if (!constant.has_value()) {
@@ -585,27 +584,25 @@ base::Optional<ObjectRef> GetOwnFastDataPropertyFromHeap(
    }
    // {constant} needs to pass the gc predicate before we can introspect on it.
-    value = TryMakeRef(broker, constant.value());
+    if (broker->ObjectMayBeUninitialized(constant.value())) return {};
-    if (!value.has_value()) {
-      return {};
+    // Since we don't have a guarantee that {constant} is the correct value of
-    }
+    // the property, we use the expected {representation} to weed out the most
-    // Since we don't have a guarantee that {value} is the correct value of the
-    // property, we use the expected {representation} to weed out the most
    // egregious types of wrong values.
-    if (!value->object()->FitsRepresentation(representation)) {
+    if (!constant->FitsRepresentation(representation)) {
      TRACE_BROKER_MISSING(
          broker, "Mismatch between representation and value in " << holder);
      return {};
    }
  }
-  // Now that we can safely inspect the property, it may need to be wrapped.
+  // Now that we can safely inspect the constant, it may need to be wrapped.
+  Handle<Object> value = broker->CanonicalPersistentHandle(constant.value());
  Handle<Object> possibly_wrapped = Object::WrapForRead<AllocationType::kOld>(
-      broker->local_isolate_or_isolate(), value->object(), representation);
+      broker->local_isolate_or_isolate(), value, representation);
-  // MakeRef will always succeed, because all that happened was we either got
+  // MakeRef will always succeed, because either {possibly_wrapped} is {value}
-  // back a handle identical to {constant} above, or we allocated a handle
+  // or we allocated a HeapNumber via the local isolate, which is thus
-  // on the local isolate, and objects allocated on the background thread
+  // guaranteed to pass the gc predicate.
-  // are guaranteed to pass the gc predicate.
  return MakeRef(broker, *possibly_wrapped);
 }