V8 compaction, which currently runs before verification, can update
stack slots, which could lead to more false positives when we scan
compressed pointers on stack. The CL disables the stack verification if
pointer compression. The intent is to investigate if verification can be
moved before compaction.

Bug: chromium:1325007
Change-Id: Idc01df9c58bfbf338b5e95caf5f03a88593c6478
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3789381
Auto-Submit: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81997}

Currently, PageAllocator assumes that FreePages(start, size) will always
be called on the same region that was passed to AllocatePages(start,
size). This assumption is made in:
1) leak-sanitizer (LsanPageAllocator) that checks it explicitly,
2) on Windows, FreePages() calls VirtualFree() with zero-size and
   MEM_RELEASE, which causes the entire reservation to be freed.

The CL temporarily fixes the bot failures just by holding the unneeded
half and adds a TODO to return the unneded part back to the OS.

Bug: chromium:1325007
Change-Id: I2bd878876d43d693cf2138020f410ffe1615b4e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3695363Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81059}

The CL does the following:
1) Globalizes CagedHeap for all HeapBases;
2) Adds the global variable representing the cage base;
3) Changes all write-barriers to use this global variable for value/slot
   checks;
4) Removes no longer needed functionality introduced in previous CLs.

Bug: v8:12231
Change-Id: I281a7b0bf67e349c988486fc2d43ec6d703fd292
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3688050
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81027}

This reduces card granularity from 4096 to 512 bytes with the goal to
improve write barrier filtering.

Bug: chromium:1029379
Change-Id: I22e2a9c61ef4c36c3db65404370213d0a8048e08
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3582393Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79960}

Avoid verifying the stack when running with TSAN as the TSAN runtime
changes stack contents when e.g. working with locks.

Specifically, the marker uses locks in slow path operations which
results in stack changes throughout marking. This means that the
conservative iteration in the verifier may find more objects then the
regular marker. The difference is benign as the delta of objects is
not reachable from user code but it prevents verification.

Bug: chromium:1275581
Change-Id: Ie316ab65a5b90a1b72c09966f72d61af91224091
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3317976
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78260}

This is a reland of 76f6c276

Original change's description:
> cppgc: Fix data race ObjectSizeTrait
>
> Fix benign race in
>   https://clusterfuzz.com/testcase-detail/5203237072076800
>
> Change-Id: I558b230e4905a48342d8e7cf70d39be5a1b7fdb8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306375
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78121}

Change-Id: Ifa50f35591b2ae40f11a384f0fb2ff50115b2511
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306379
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78124}

This reverts commit 76f6c276.

Reason for revert: Mac64 ASAN is unhappy, please see https://ci.chromium.org/ui/p/v8/builders/ci/V8%20Mac64%20ASAN%20-%20builder/194/overview

Original change's description:
> cppgc: Fix data race ObjectSizeTrait
>
> Fix benign race in
>   https://clusterfuzz.com/testcase-detail/5203237072076800
>
> Change-Id: I558b230e4905a48342d8e7cf70d39be5a1b7fdb8
> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306375
> Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
> Commit-Queue: Omer Katz <omerkatz@chromium.org>
> Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
> Reviewed-by: Omer Katz <omerkatz@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#78121}

Change-Id: I96c40a1e3421f59cf97efd4a844a041280989171
No-Presubmit: true
No-Tree-Checks: true
No-Try: true
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306377
Auto-Submit: Maya Lekova <mslekova@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Owners-Override: Maya Lekova <mslekova@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78122}

Fix benign race in
  https://clusterfuzz.com/testcase-detail/5203237072076800

Change-Id: I558b230e4905a48342d8e7cf70d39be5a1b7fdb8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306375
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#78121}

Marking verification should only process young generation objects when
verifying the marking state of a young generation garbage collection.

Bug: v8:12324
Change-Id: I01db261437ec5c42ddb6c79c44e31b5fe0e536d7
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3231343Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77518}

Adds a heap verification GN arg to gate the marking verifier and live
bytes verification on. The flag may be used in future for other more
expensive checks as well.

Currently, the flag is automatically enabled in dcheck_is_on and debug
builds.

The change enables live bytes verification for the library in regular
debug builds which may flush out issues.

Bug: v8:11785
Change-Id: I0f41bc0d76ebea9f6a8c9315c947598015ee5d68
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097868
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#76325}

Bug: v8:11822
Change-Id: I35f3b5ce71ab5f86a5d9991bb9d729a2fe56f6dd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2919955Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74840}

The marking verifier already traverses the whole heap using page
iteration. Add an option to allow checking that the verifier pass
finds the same amount of live bytes as the marker traversal.

Bug: chromium:1056170
Change-Id: I1dc4cd0c04147b8cd3e3eb7678276b665336e615
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2902724
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74630}

Replaces Payload* terminiology with Object* terminology.
HoH::ObjectSize = just the object, without the header.
HoH::AllocatedSize = both the object and the header.

Payload terminology is retained only for pages.

Bug: chromium:1056170
Change-Id: I568a324ae8728f098be642b024493c375ec873cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2892079
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74538}

The marking verifier used to run on a different stack than the marker
which could lead to it finding more objects than the marker. Fix this
by recording a stack end from which the verification starts. This
ensures that the verifier only finds a subset of the objects that the
actual stack scan finds.

Bug: v8:11709
Change-Id: I44fe7b247e56e75deded45b64c25379f1ad9e381
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2859848
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74320}

- Reset parent object and signal stack with nullptr sentinel
- Adjust FATAL messaging
- Fix dispatch for in-construction objects on stack

Bug: v8:11709
Change-Id: I4da0f0f373699aa1fa09745231911c7056978a4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2856837Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74275}

Cleanups around tracing bottlenecks and tests.

Bug: chromium:1056170
Change-Id: I1f9ddd6d8727971db3bed5294f4ff3fdd20a9e34
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2757696
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73394}

Conservative tracing of an in construction objects might enter an
infinite recursion if the object holds a reference to itself.
The second time we try to trace the object it will be already marked and
we can bail out of tracing it again.

Bug: chromium:1056170
Change-Id: I74e99ca70c83f00d47299562d291adf7ba4a5808
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2715065
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72979}

This CL adds TraceWeakContainer and VisitWeakContainer to the Visitor
api. It also introduces the weak_container_worklist_ used to force
re-tracing of weak containers that are reachable from stack.

Bug: chromium:1056170
Change-Id: I4ba75bd64939b8df9ece7422828a5ac647b03fd1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2491022
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70708}

Follow the marker pattern where actual logic is moved into a dedicated
state class and the visitors merely forward to that class.

Change-Id: Id3c6b7414343da82759bdba3dbb8286adee44cf4
Bug: chromium:1056170
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2480502
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70680}

Bug: chromium:1056170
Change-Id: I65a2b38c85a93ac2822cb7d2b7ac4bd66540348a
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2468996
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Auto-Submit: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70498}

Adds NameProvider to allow specifying names of objects. The
corresponding internal NameTrait is registered with the GCInfo object.

Use name infrastructure to provide a hint on encountering an unmarked
object in the marking verifier.

Bug: chromium:1056170
Change-Id: I95bb290660f5905500f861bd5cc85148a1b47184
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2454087
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#70400}

Assigning to reference to std::unordered_set doesn't change the
reference. It merely replaces the content of rhs with that of lhs.
We should use pointers instead.

Bug: chromium:1056170
Change-Id: I496544ca4b16ce8ae8a9aff57cb05a07cad984c1
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2412184Reviewed-by: Michael Lippautz <mlippautz@chromium.org>
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69918}

- Avoid invoking Trace() for in-construction objects as the method may
  access uninitialized fields, e.g., fields that have bogus state with
  zeroed memory like std::list.
- Conservatively scan in-construction objects for pointers.
- Verify that stack scan indeed finds all in-construction objects that
  are present on the heap and vice versa.

Bug: chromium:1056170
Change-Id: I2c68da2b8072f715b5a0dcdb1202d5f874c6c6e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2388106Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69670}

This CL ports MarkingVerifier from blink.

The existing verifier checks only references on heap.
This new verifier checks references both on heap and on stack.

Bug: chromium:1056170
Change-Id: I083dcb0087125312cca34a2201015a9aecfe6ea4
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2300484
Commit-Queue: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68891}