[shared-struct] Fix shared value barrier in TF

This CL fixes a bug where TurboFan was incorrectly compiling away the shared value barrier for shared arrays. TurboFan should not be compiling accesses to objects in the shared heap until it natively has support for the shared value barrier, because it is an invariant that shared objects do not point to non-shared objects. Bug: chromium:1404052, v8:12547 Change-Id: I5bd44ce5c44ad81a97421598e6d5b24fb5e210cd Fixed: chromium:1404052 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4136980 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/main@{#85233}
2023-01-05 17:44:25 -08:00 · 2023-01-05 17:44:25 -08:00 · f1adbe2e44
commit f1adbe2e44
parent 24ca73004e
2 changed files with 37 additions and 6 deletions
--- a/src/compiler/js-native-context-specialization.cc
+++ b/src/compiler/js-native-context-specialization.cc
@ -1515,9 +1515,10 @@ Reduction JSNativeContextSpecialization::ReduceNamedAccess(
    for (const MapRef& map : inferred_maps) {
      if (map.is_deprecated()) continue;

-      // TODO(v8:12547): Support writing to shared structs, which needs a write
-      // barrier that calls Object::Share to ensure the RHS is shared.
-      if (InstanceTypeChecker::IsJSSharedStruct(map.instance_type()) &&
+      // TODO(v8:12547): Support writing to objects in shared space, which need
+      // a write barrier that calls Object::Share to ensure the RHS is shared.
+      if (InstanceTypeChecker::IsAlwaysSharedSpaceJSObject(
+              map.instance_type()) &&
          access_mode == AccessMode::kStore) {
        return NoChange();
      }
@ -2178,9 +2179,10 @@ Reduction JSNativeContextSpecialization::ReduceElementAccess(
          return NoChange();
        }

-        // TODO(v8:12547): Support writing to shared structs, which needs a
-        // write barrier that calls Object::Share to ensure the RHS is shared.
-        if (InstanceTypeChecker::IsJSSharedStruct(
+        // TODO(v8:12547): Support writing to objects in shared space, which
+        // need a write barrier that calls Object::Share to ensure the RHS is
+        // shared.
+        if (InstanceTypeChecker::IsAlwaysSharedSpaceJSObject(
                receiver_map.instance_type())) {
          return NoChange();
        }
--- a/test/mjsunit/shared-memory/shared-value-barrier-optimization.js
+++ b/test/mjsunit/shared-memory/shared-value-barrier-optimization.js
@ -0,0 +1,29 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --harmony-struct --allow-natives-syntax
+
+const Box = new SharedStructType(['payload']);
+let a, b;
+function f() {
+  a = SharedArray(4000);
+  b = new Box();
+  // Assignment into shared objects have a barrier that ensure the RHS is in
+  // shared space.
+  //
+  // RHS needs to be large enough to be in a HeapNumber. TF then allocates it
+  // out of the non-shared old space during optimization. If TF incorrectly
+  // compiles away the barrier, TF optimized code will create shared->local
+  // edges.
+  a[0] = 2000000000;
+  b.payload = 2000000000;
+}
+%PrepareFunctionForOptimization(f);
+for (let i = 0; i < 10; i++) f();
+// Verify that TF optimized code does not incorrectly compile away the shared
+// value barrier.
+%OptimizeFunctionOnNextCall(f);
+for (let i = 0; i < 10; i++) f();
+// SharedGC will verify there are no shared->local edges.
+%SharedGC();