[strings] Fix concurrent internalization of external strings

When internalizing cached external string that are not in-place internalizable, there is an optimization that avoids copying the contents of the string. This optimization doesn't work when the string table is shared, as it leaves strings in a partly initialized state that can be accessed in a concurrent environment. Bug: v8:12007 Change-Id: I49fcbb232893c87d065af114546a6f1a15471016 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870469 Auto-Submit: Patrick Thier <pthier@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#82953}

[strings] Fix concurrent internalization of external strings
When internalizing cached external string that are not in-place internalizable, there is an optimization that avoids copying the contents of the string. This optimization doesn't work when the string table is shared, as it leaves strings in a partly initialized state that can be accessed in a concurrent environment. Bug: v8:12007 Change-Id: I49fcbb232893c87d065af114546a6f1a15471016 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3870469 Auto-Submit: Patrick Thier <pthier@chromium.org> Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Shu-yu Guo <syg@chromium.org> Cr-Commit-Position: refs/heads/main@{#82953}
e547fe70 · Patrick Thier · V8 LUCI CQ · c7161424 · e547fe70
Commit e547fe70 authored Sep 02, 2022 by Patrick Thier Committed by V8 LUCI CQ Sep 02, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 7 deletions

string-table.cc src/objects/string-table.cc +9 -7

No files found.
--- a/src/objects/string-table.cc
+++ b/src/objects/string-table.cc
@@ -381,16 +381,18 @@ class InternalizedStringKey final : public StringTableKey {
    // requiring a copy can transition any further.
    StringShape shape(*string_);
    // External strings get special treatment, to avoid copying their
-    // contents as long as they are not uncached.
-    if (shape.IsExternalOneByte() && !shape.IsUncachedExternal()) {
-      // TODO(syg): External strings not yet supported.
-      DCHECK(!FLAG_shared_string_table);
+    // contents as long as they are not uncached or the string table is shared.
+    // If the string table is shared, another thread could lookup a string with
+    // the same content before this thread completes MakeThin (which sets the
+    // resource), resulting in a string table hit returning the string we just
+    // created that is not correctly initialized.
+    const bool can_avoid_copy =
+        !FLAG_shared_string_table && !shape.IsUncachedExternal();
+    if (can_avoid_copy && shape.IsExternalOneByte()) {
      string_ =
          isolate->factory()->InternalizeExternalString<ExternalOneByteString>(
              string_);
-    } else if (shape.IsExternalTwoByte() && !shape.IsUncachedExternal()) {
-      // TODO(syg): External strings not yet supported.
-      DCHECK(!FLAG_shared_string_table);
+    } else if (can_avoid_copy && shape.IsExternalTwoByte()) {
      string_ =
          isolate->factory()->InternalizeExternalString<ExternalTwoByteString>(
              string_);