[heap] Skip ephemeron values that shouldn't be marked

Bug: chromium:1403129
Change-Id: Ic26583be78e4e16a5bc18d8d8ce2bfb79ec70dad
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4136976
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/heads/main@{#85270}

src/heap/mark-compact.cc

@@ -2613,6 +2613,15 @@ std::pair<size_t, size_t> MarkCompactCollector::ProcessMarkingWorklist(
 }
 
 bool MarkCompactCollector::ProcessEphemeron(HeapObject key, HeapObject value) {
+  // Objects in the shared heap are prohibited from being used as keys in
+  // WeakMaps and WeakSets and therefore cannot be ephemeron keys, because that
+  // would enable thread local -> shared heap edges.
+  DCHECK(!key.InSharedWritableHeap());
+  // Usually values that should not be marked are not added to the ephemeron
+  // worklist. However, minor collection during incremental marking may promote
+  // strings from the younger generation into the shared heap. This
+  // ShouldMarkObject call catches those cases.
+  if (!ShouldMarkObject(value)) return false;
   if (marking_state()->IsBlackOrGrey(key)) {
     if (marking_state()->WhiteToGrey(value)) {
       local_marking_worklists()->Push(value);

src/heap/marking-visitor-inl.h

@@ -365,8 +365,11 @@ int MarkingVisitorBase<ConcreteVisitor, MarkingState>::VisitEphemeronHashTable(
     ObjectSlot value_slot =
         table.RawFieldOfElementAt(EphemeronHashTable::EntryToValueIndex(i));
 
-    if (!ShouldMarkObject(key) ||
-        concrete_visitor()->marking_state()->IsBlackOrGrey(key)) {
+    // Objects in the shared heap are prohibited from being used as keys in
+    // WeakMaps and WeakSets and therefore cannot be ephemeron keys. See also
+    // MarkCompactCollector::ProcessEphemeron.
+    DCHECK(!key.InSharedWritableHeap());
+    if (concrete_visitor()->marking_state()->IsBlackOrGrey(key)) {
       VisitPointer(table, value_slot);
     } else {
       Object value_obj = table.ValueAt(i);