AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

cppgc: Fix DCHECK on destroying a large page

Browse Source 
The DCHECK ensures that a page that is going to be destroyed is not
anymore part of the vector of pages of a space. This DCHECK runs while
a potential concurrent sweeper task may add a page for a live object
to the vector, resulting in a broken iteration. Use the pages lock to
fix this.

Bug: chromium:1268969
Change-Id: Ice87026957b3e6b5d36cf28293f7aa6901e96ba2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3277132
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Anton Bikineev <bikineev@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77867}
This commit is contained in:
Michael Lippautz 2021-11-12 11:50:23 +01:00 committed by V8 LUCI CQ
parent 67cdb3767c
commit a57311ca65
2 changed files with 11 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/heap/cppgc/heap-page.cc
View File

@ -8,6 +8,7 @@
#include "include/cppgc/internal/api-constants.h"
#include "src/base/logging.h"
#include "src/base/platform/mutex.h"
#include "src/heap/cppgc/globals.h"
#include "src/heap/cppgc/heap-object-header.h"
#include "src/heap/cppgc/heap-space.h"
@ -239,8 +240,14 @@ void LargePage::Destroy(LargePage* page) {
DCHECK(page);
#if DEBUG
const BaseSpace& space = page->space();
DCHECK_EQ(space.end(), std::find(space.begin(), space.end(), page));
#endif
{
// Destroy() happens on the mutator but another concurrent sweeper task may
// add add a live object using `BaseSpace::AddPage()` while iterating the
// pages.
v8::base::LockGuard<v8::base::Mutex> guard(&space.pages_mutex());
DCHECK_EQ(space.end(), std::find(space.begin(), space.end(), page));
}
#endif // DEBUG
page->~LargePage();
PageBackend* backend = page->heap().page_backend();
page->heap().stats_collector()->NotifyFreedMemory(

3
src/heap/cppgc/heap-space.h
View File

@ -46,6 +46,7 @@ class V8_EXPORT_PRIVATE BaseSpace {
void AddPage(BasePage*);
void RemovePage(BasePage*);
Pages RemoveAllPages();
v8::base::Mutex& pages_mutex() const { return pages_mutex_; }
bool is_compactable() const { return is_compactable_; }
@ -57,7 +58,7 @@ class V8_EXPORT_PRIVATE BaseSpace {
private:
RawHeap* heap_;
Pages pages_;
v8::base::Mutex pages_mutex_;
mutable v8::base::Mutex pages_mutex_;
const size_t index_;
const PageType type_;
const bool is_compactable_;