From 5d546c2ac010a74879ad6f13772678858646d2c3 Mon Sep 17 00:00:00 2001
From: Michael Lippautz <mlippautz@chromium.org>
Date: Mon, 27 Jun 2022 16:34:36 +0200
Subject: [PATCH] [heap] Fix aligned allocation in ConcurrentAllocator

Don't actually free memory as that would maintain free bytes accounting.
Instead, just write a filler that is reclaimed on next garbage
collection, updating counters.

Bug: v8:13000, chromium:1338687
Change-Id: I5339505160fde4b2f522a1a4212d23d7afc2b5f3
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3726292
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81407}
---
 src/heap/concurrent-allocator.cc | 22 ++++++----------------
 src/heap/heap.cc                 | 11 ++++++-----
 2 files changed, 12 insertions(+), 21 deletions(-)

diff --git a/src/heap/concurrent-allocator.cc b/src/heap/concurrent-allocator.cc
index 21a5e7c27c..4b02b14170 100644
--- a/src/heap/concurrent-allocator.cc
+++ b/src/heap/concurrent-allocator.cc
@@ -170,26 +170,16 @@ AllocationResult ConcurrentAllocator::AllocateOutsideLab(
   if (!result) return AllocationResult::Failure();
   DCHECK_GE(result->second, aligned_size_in_bytes);
 
-  HeapObject object = HeapObject::FromAddress(result->first);
-  const int filler_size = Heap::GetFillToAlign(object.address(), alignment);
-  DCHECK_IMPLIES(filler_size != 0, filler_size == requested_filler_size);
-
-  // Actually align the allocation.
-  if (requested_filler_size) {
-    if (filler_size) {
-      object = local_heap_->heap()->PrecedeWithFiller(object, filler_size);
-    } else {
-      // Free the unneeded filler space.
-      space_->Free(object.address() + size_in_bytes, requested_filler_size,
-                   SpaceAccountingMode::kSpaceAccounted);
-    }
-  }
-
+  HeapObject object =
+      (requested_filler_size)
+          ? owning_heap()->AlignWithFiller(
+                HeapObject::FromAddress(result->first), size_in_bytes,
+                static_cast<int>(result->second), alignment)
+          : HeapObject::FromAddress(result->first);
   if (IsBlackAllocationEnabled()) {
     owning_heap()->incremental_marking()->MarkBlackBackground(object,
                                                               size_in_bytes);
   }
-
   return AllocationResult::FromObject(object);
 }
 
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index 9954f759d6..80ad76a92f 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3150,15 +3150,16 @@ HeapObject Heap::PrecedeWithFiller(HeapObject object, int filler_size) {
 HeapObject Heap::AlignWithFiller(HeapObject object, int object_size,
                                  int allocation_size,
                                  AllocationAlignment alignment) {
-  int filler_size = allocation_size - object_size;
+  const int filler_size = allocation_size - object_size;
   DCHECK_LT(0, filler_size);
-  int pre_filler = GetFillToAlign(object.address(), alignment);
+  const int pre_filler = GetFillToAlign(object.address(), alignment);
   if (pre_filler) {
     object = PrecedeWithFiller(object, pre_filler);
-    filler_size -= pre_filler;
   }
-  if (filler_size) {
-    CreateFillerObjectAt(object.address() + object_size, filler_size);
+  DCHECK_LE(0, filler_size - pre_filler);
+  const int post_filler = filler_size - pre_filler;
+  if (post_filler) {
+    CreateFillerObjectAt(object.address() + object_size, post_filler);
   }
   return object;
 }