[compiler] Avoid ConsString pointing to young strings in the background

The generational write-barrier currently does not support background threads. As a result, building in the background a ConsString that points to a young string can lead to bugs, since the young string could be freed. Bug: v8:13203 Change-Id: I0df7c8cca8712d765eff0b1e918379f5477fdee5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840940Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Darius Mercadier <dmercadier@chromium.org> Cr-Commit-Position: refs/heads/main@{#82612}

[compiler] Avoid ConsString pointing to young strings in the background
The generational write-barrier currently does not support background threads. As a result, building in the background a ConsString that points to a young string can lead to bugs, since the young string could be freed. Bug: v8:13203 Change-Id: I0df7c8cca8712d765eff0b1e918379f5477fdee5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3840940Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Darius Mercadier <dmercadier@chromium.org> Cr-Commit-Position: refs/heads/main@{#82612}
f04ca338 · Darius M · V8 LUCI CQ · 9b0d5cb1 · f04ca338
Commit f04ca338 authored Aug 19, 2022 by Darius M Committed by V8 LUCI CQ Aug 22, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 4 deletions

js-native-context-specialization.cc src/compiler/js-native-context-specialization.cc +17 -4

No files found.
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@@ -25,6 +25,7 @@
 #include "src/compiler/type-cache.h"
 #include "src/handles/handles.h"
 #include "src/heap/factory.h"
+#include "src/heap/heap-write-barrier-inl.h"
 #include "src/objects/feedback-vector.h"
 #include "src/objects/heap-number.h"
 #include "src/objects/string.h"
@@ -344,10 +345,22 @@ Handle<String> Concatenate(Handle<String> left, Handle<String> right,

  int32_t length = left->length() + right->length();
  if (length > kConstantStringFlattenMaxSize) {
-    return broker->local_isolate_or_isolate()
-        ->factory()
-        ->NewConsString(left, right, AllocationType::kOld)
-        .ToHandleChecked();
+    // The generational write-barrier doesn't work in background threads, so,
+    // if {left} or {right} are in the young generation, we would have to copy
+    // them to the local heap (which is old) before creating the (old)
+    // ConsString. But, copying a ConsString instead of flattening it to a
+    // SeqString makes no sense here (since flattening would be faster and use
+    // less memory). Thus, if one of {left} or {right} is a young string, we'll
+    // build a SeqString rather than a ConsString, regardless of {length}.
+    // TODO(dmercadier, dinfuehr): always build a ConsString here once the
+    // generational write-barrier supports background threads.
+    if (!LocalHeap::Current() ||
+        (!ObjectInYoungGeneration(*left) && !ObjectInYoungGeneration(*right))) {
+      return broker->local_isolate_or_isolate()
+          ->factory()
+          ->NewConsString(left, right, AllocationType::kOld)
+          .ToHandleChecked();
+    }
  }

  // If one of the string is not in readonly space, then we need a