From c6527293a5f4a1b4b475df6275b40fe2987cc322 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20Inf=C3=BChr?= <dinfuehr@chromium.org>
Date: Tue, 31 May 2022 21:47:26 +0200
Subject: [PATCH] [heap] Fix external bytes accounting when promoting large
 objects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unlike other spaces we didn't update external bytes counters when
adding or removing pages from large spaces.

Bug: chromium:1329766
Change-Id: I5fbc8703964f9e4e846d986c32c5d57ed4f0c0c5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3681118
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Reviewed-by: Omer Katz <omerkatz@chromium.org>
Cr-Commit-Position: refs/heads/main@{#80877}
---
 src/heap/large-spaces.cc              |  8 ++++++++
 test/mjsunit/large-external-string.js | 16 ++++++++++++++++
 2 files changed, 24 insertions(+)
 create mode 100644 test/mjsunit/large-external-string.js

diff --git a/src/heap/large-spaces.cc b/src/heap/large-spaces.cc
index 2a1e024671..3c840d2671 100644
--- a/src/heap/large-spaces.cc
+++ b/src/heap/large-spaces.cc
@@ -267,6 +267,10 @@ void LargeObjectSpace::AddPage(LargePage* page, size_t object_size) {
   page->set_owner(this);
   page->SetOldGenerationPageFlags(!is_off_thread() &&
                                   heap()->incremental_marking()->IsMarking());
+  for (size_t i = 0; i < ExternalBackingStoreType::kNumTypes; i++) {
+    ExternalBackingStoreType t = static_cast<ExternalBackingStoreType>(i);
+    IncrementExternalBackingStoreBytes(t, page->ExternalBackingStoreBytes(t));
+  }
 }
 void LargeObjectSpace::RemovePage(LargePage* page) {
   size_ -= static_cast<int>(page->size());
@@ -274,6 +278,10 @@ void LargeObjectSpace::RemovePage(LargePage* page) {
   page_count_--;
   memory_chunk_list_.Remove(page);
   page->set_owner(nullptr);
+  for (size_t i = 0; i < ExternalBackingStoreType::kNumTypes; i++) {
+    ExternalBackingStoreType t = static_cast<ExternalBackingStoreType>(i);
+    DecrementExternalBackingStoreBytes(t, page->ExternalBackingStoreBytes(t));
+  }
 }
 
 namespace {
diff --git a/test/mjsunit/large-external-string.js b/test/mjsunit/large-external-string.js
new file mode 100644
index 0000000000..d07c47c395
--- /dev/null
+++ b/test/mjsunit/large-external-string.js
@@ -0,0 +1,16 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --expose-gc --expose-externalize-string --verify-heap
+
+const LENGTH = 100 * 1000;
+const data = new Array();
+
+for (var i = 0; i < LENGTH; ++i) {
+  data.push('do ');
+}
+
+const largeText = data.join();
+externalizeString(largeText);
+gc();