[heap] Fix bug in ArrayBufferSweeper

Calling EnsureFinished could sweep array buffers without first making sure that promoted page iteration is done. Bug: chromium:1411076 Change-Id: Ic6cb9b13af0851f40c8720f046602a7739aa0efa Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4205922 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Omer Katz <omerkatz@chromium.org> Cr-Commit-Position: refs/heads/main@{#85563}
2023-01-31 13:15:35 +01:00 · 2023-01-31 13:15:35 +01:00 · 20a592c212
commit 20a592c212
parent 3ebbb651e2
3 changed files with 13 additions and 10 deletions
--- a/src/heap/array-buffer-sweeper.cc
+++ b/src/heap/array-buffer-sweeper.cc
@ -7,6 +7,7 @@
 #include <atomic>
 #include <memory>

+#include "src/base/logging.h"
 #include "src/heap/gc-tracer-inl.h"
 #include "src/heap/gc-tracer.h"
 #include "src/heap/heap-inl.h"
@ -117,7 +118,7 @@ void ArrayBufferSweeper::EnsureFinished() {
  switch (abort_result) {
    case TryAbortResult::kTaskAborted:
      // Task has not run, so we need to run it synchronously here.
-      job_->Sweep();
+      DoSweep();
      break;
    case TryAbortResult::kTaskRemoved:
      // Task was removed, but did actually run, just ensure we are in the right
@ -164,20 +165,25 @@ void ArrayBufferSweeper::RequestSweep(SweepingType type) {
              ? GCTracer::Scope::BACKGROUND_YOUNG_ARRAY_BUFFER_SWEEP
              : GCTracer::Scope::BACKGROUND_FULL_ARRAY_BUFFER_SWEEP;
      TRACE_GC_EPOCH(heap_->tracer(), scope_id, ThreadKind::kBackground);
-      local_sweeper_.ContributeAndWaitForPromotedPagesIteration();
      base::MutexGuard guard(&sweeping_mutex_);
-      job_->Sweep();
+      DoSweep();
      job_finished_.NotifyAll();
    });
    job_->id_ = task->id();
    V8::GetCurrentPlatform()->CallOnWorkerThread(std::move(task));
  } else {
-    local_sweeper_.ContributeAndWaitForPromotedPagesIteration();
-    job_->Sweep();
+    DoSweep();
    Finalize();
  }
 }

+void ArrayBufferSweeper::DoSweep() {
+  DCHECK_NOT_NULL(job_);
+  local_sweeper_.ContributeAndWaitForPromotedPagesIteration();
+  DCHECK(!heap_->sweeper()->IsIteratingPromotedPages());
+  job_->Sweep();
+}
+
 void ArrayBufferSweeper::Prepare(SweepingType type) {
  DCHECK(!sweeping_in_progress());
  switch (type) {
--- a/src/heap/array-buffer-sweeper.h
+++ b/src/heap/array-buffer-sweeper.h
@ -91,6 +91,8 @@ class ArrayBufferSweeper final {

  void ReleaseAll(ArrayBufferList* extension);

+  void DoSweep();
+
  Heap* const heap_;
  std::unique_ptr<SweepingJob> job_;
  base::Mutex sweeping_mutex_;
--- a/src/heap/sweeper.cc
+++ b/src/heap/sweeper.cc
@ -855,11 +855,6 @@ class PromotedPageRecordMigratedSlotVisitor
  inline void VisitExternalPointer(HeapObject host, ExternalPointerSlot slot,
                                   ExternalPointerTag tag) final {}

-  inline void MarkArrayBufferExtensionPromoted(HeapObject object) {
-    if (!object.IsJSArrayBuffer()) return;
-    JSArrayBuffer::cast(object).YoungMarkExtensionPromoted();
-  }
-
 protected:
  inline void RecordMigratedSlot(HeapObject host, MaybeObject value,
                                 Address slot) {