src/baseline · a684b5df506fdda33c05eb6874f4a6f1a262218d · Linshizhi / V8

[baseline] Fix race between baseline compiler and GC on page flags · 911f6f03

Dominik Inführ authored Feb 10, 2022

We need to create the CodePageCollectionMemoryModificationScope *after*
setting up the LocalIsolate. Otherwise the destructor of that scope will
run after that thread detached from the isolate, when it isn't part of
the next GC safepoint anymore. This allows two concurrent operations
on the page flags:

1) The destructor of CodePageCollectionMemoryModificationScope protects
   the page again and accesses page flags in a DCHECK.
2) The GC unprotects the code pages for the collection and sets the
   the evacuation candidate flag.

Bug: chromium:1295738
Change-Id: I6de626bb075f43e26d74dba18e28fe34331fdfd2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3451714
Auto-Submit: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Leszek Swirski <leszeks@chromium.org>
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#79025}

911f6f03

Name	Last commit	Last update
..
arm		Loading commit data...
arm64		Loading commit data...
ia32		Loading commit data...
loong64		Loading commit data...
mips		Loading commit data...
mips64		Loading commit data...
ppc		Loading commit data...
riscv64		Loading commit data...
s390		Loading commit data...
x64		Loading commit data...
DEPS		Loading commit data...
OWNERS		Loading commit data...
baseline-assembler-inl.h		Loading commit data...
baseline-assembler.h		Loading commit data...
baseline-batch-compiler.cc		Loading commit data...
baseline-batch-compiler.h		Loading commit data...
baseline-compiler.cc		Loading commit data...
baseline-compiler.h		Loading commit data...
baseline.cc		Loading commit data...
baseline.h		Loading commit data...
bytecode-offset-iterator.cc		Loading commit data...
bytecode-offset-iterator.h		Loading commit data...