src · 6119362077322c37f36c932520a90bbafdb434dc · Linshizhi / V8

[heap, api] Check assumptions for embedder fields on set · 61193620

Michael Lippautz authored Aug 01, 2022

Previously, we would set embedder fields and do type checks (on
embedder fields) in the GC. This does not work nicely as embedder
fields contain system pointers whereas we can only operate with
tag-aligned reads/writes. The end result of assembling pointers was
somtimes broken for concurrent marking.

In this CL we reverse the mode and check assumptions when writing the
fields. From Blink we generally only write once and use the fields in
the GC and via reads multiple times.

We assume, that when running with CppHeap, any pointer on an instance
field that points into CppHeap, also has the type field set with the
appropriate tracing information. In debug builds we also verify that
the embedder field indeed points to the start of an Oilpan object.

Bug: chromium:1337690
Change-Id: I9f9a8e691cdcf666861a455dcf8f65f2fe80b034
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3788206
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Reviewed-by: Igor Sheludko <ishell@chromium.org>
Cr-Commit-Position: refs/heads/main@{#82120}

61193620

Name	Last commit	Last update
..
api		Loading commit data...
asmjs		Loading commit data...
ast		Loading commit data...
base		Loading commit data...
baseline		Loading commit data...
bigint		Loading commit data...
builtins		Loading commit data...
codegen		Loading commit data...
common		Loading commit data...
compiler		Loading commit data...
compiler-dispatcher		Loading commit data...
d8		Loading commit data...
date		Loading commit data...
debug		Loading commit data...
deoptimizer		Loading commit data...
diagnostics		Loading commit data...
execution		Loading commit data...
extensions		Loading commit data...
flags		Loading commit data...
handles		Loading commit data...
heap		Loading commit data...
ic		Loading commit data...
init		Loading commit data...
inspector		Loading commit data...
interpreter		Loading commit data...
json		Loading commit data...
libplatform		Loading commit data...
libsampler		Loading commit data...
logging		Loading commit data...
maglev		Loading commit data...
numbers		Loading commit data...
objects		Loading commit data...
parsing		Loading commit data...
profiler		Loading commit data...
protobuf		Loading commit data...
regexp		Loading commit data...
roots		Loading commit data...
runtime		Loading commit data...
sandbox		Loading commit data...
sanitizer		Loading commit data...
snapshot		Loading commit data...
strings		Loading commit data...
tasks		Loading commit data...
temporal		Loading commit data...
third_party		Loading commit data...
torque		Loading commit data...
tracing		Loading commit data...
trap-handler		Loading commit data...
utils		Loading commit data...
wasm		Loading commit data...
web-snapshot		Loading commit data...
zone		Loading commit data...
DEPS		Loading commit data...
DIR_METADATA		Loading commit data...
OWNERS		Loading commit data...