[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

This is a short-term solution (mimicing what object grouping currently does). It
is not correct in general because we should fully process the subgraph that was
discovered by making some of the weak roots strong.  In long term we need  a
separate handle type on the API level for traced references that have their
handles zapped at a different stage.

Reproduction:
- Initial marking is done, i.e., both marking deques are empty.
- We make weak roots needed for regular finalizers strong.
- We collect phantom callback data and zap handles that are not reachable so far.
- Through new roots we discover wrappables on the blink side that would also keep
  objects that were already scheduled for phantom callbacks alive.
- Since the handle was already zapped we crash during dereferencing.

BUG=chromium:668060,chromium:468240

Review-Url: https://codereview.chromium.org/2580813002
Cr-Commit-Position: refs/heads/master@{#41724}
This commit is contained in:
mlippautz 2016-12-15 06:39:59 -08:00 committed by Commit bot
parent ed080e6966
commit af6d01a168

View File

@ -2140,23 +2140,32 @@ void MarkCompactCollector::ProcessEphemeralMarking(
DCHECK(marking_deque()->IsEmpty() && !marking_deque()->overflowed());
bool work_to_do = true;
while (work_to_do) {
if (heap_->UsingEmbedderHeapTracer()) {
TRACE_GC(heap()->tracer(), GCTracer::Scope::MC_MARK_WRAPPER_TRACING);
heap_->RegisterWrappersWithEmbedderHeapTracer();
heap_->embedder_heap_tracer()->AdvanceTracing(
0, EmbedderHeapTracer::AdvanceTracingActions(
EmbedderHeapTracer::ForceCompletionAction::FORCE_COMPLETION));
}
if (!only_process_harmony_weak_collections) {
TRACE_GC(heap()->tracer(), GCTracer::Scope::MC_MARK_OBJECT_GROUPING);
isolate()->global_handles()->IterateObjectGroups(
visitor, &IsUnmarkedHeapObjectWithHeap);
MarkImplicitRefGroups(&MarkCompactMarkingVisitor::MarkObject);
if (heap_->UsingEmbedderHeapTracer()) {
TRACE_GC(heap()->tracer(), GCTracer::Scope::MC_MARK_WRAPPER_TRACING);
heap_->RegisterWrappersWithEmbedderHeapTracer();
heap_->embedder_heap_tracer()->AdvanceTracing(
0,
EmbedderHeapTracer::AdvanceTracingActions(
EmbedderHeapTracer::ForceCompletionAction::FORCE_COMPLETION));
} else {
TRACE_GC(heap()->tracer(), GCTracer::Scope::MC_MARK_OBJECT_GROUPING);
isolate()->global_handles()->IterateObjectGroups(
visitor, &IsUnmarkedHeapObjectWithHeap);
MarkImplicitRefGroups(&MarkCompactMarkingVisitor::MarkObject);
}
} else {
// TODO(mlippautz): We currently do not trace through blink when
// discovering new objects reachable from weak roots (that have been made
// strong). This is a limitation of not having a separate handle type
// that doesn't require zapping before this phase. See crbug.com/668060.
heap_->clear_wrappers_to_trace();
}
ProcessWeakCollections();
work_to_do = !marking_deque()->IsEmpty();
ProcessMarkingDeque<MarkCompactMode::FULL>();
}
CHECK(heap_->MarkingDequesAreEmpty());
}
void MarkCompactCollector::ProcessTopOptimizedFrame(ObjectVisitor* visitor) {