5611f70b3d
This is a reland of bc33f5aeba
Contributed by titzer@chromium.org
Original change's description:
> [arraybuffer] Rearchitect backing store ownership
>
> This CL completely rearchitects the ownership of array buffer backing stores,
> consolidating ownership into a {BackingStore} C++ object that is tracked
> throughout V8 using unique_ptr and shared_ptr where appropriate.
>
> Overall, lifetime management is simpler and more explicit. The numerous
> ways that array buffers were initialized have been streamlined to one
> Attach() method on JSArrayBuffer. The array buffer tracker in the
> GC implementation now manages std::shared_ptr<BackingStore> pointers,
> and the construction and destruction of the BackingStore object itself
> handles the underlying page or embedder-allocated memory.
>
> The embedder API remains unchanged for now. We use the
> v8::ArrayBuffer::Contents struct to hide an additional shared_ptr to
> keep the backing store alive properly, even in the case of aliases
> from live heap objects. Thus the embedder has a lower chance of making
> a mistake. Long-term, we should move the embedder to a model where they
> manage backing stores using shared_ptr to an opaque backing store object.
TBR=yangguo@chromium.org
BUG=v8:9380,v8:9221,chromium:986318
Change-Id: If671a4a9ca0476e8f084efae46e0d2bf99ed99ef
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1731005
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Clemens Hammacher <clemensh@chromium.org>
Reviewed-by: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#63041}
86 lines
2.6 KiB
C++
86 lines
2.6 KiB
C++
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
#include "src/api/api-inl.h"
|
|
#include "src/objects/backing-store.h"
|
|
#include "src/wasm/wasm-objects.h"
|
|
|
|
#include "test/cctest/cctest.h"
|
|
#include "test/cctest/manually-externalized-buffer.h"
|
|
|
|
namespace v8 {
|
|
namespace internal {
|
|
|
|
using testing::ManuallyExternalizedBuffer;
|
|
|
|
TEST(Run_WasmModule_Buffer_Externalized_Detach) {
|
|
{
|
|
// Regression test for
|
|
// https://bugs.chromium.org/p/chromium/issues/detail?id=731046
|
|
Isolate* isolate = CcTest::InitIsolateOnce();
|
|
HandleScope scope(isolate);
|
|
MaybeHandle<JSArrayBuffer> result =
|
|
isolate->factory()->NewJSArrayBufferAndBackingStore(
|
|
wasm::kWasmPageSize, InitializedFlag::kZeroInitialized);
|
|
Handle<JSArrayBuffer> buffer = result.ToHandleChecked();
|
|
|
|
// Embedder requests contents.
|
|
ManuallyExternalizedBuffer external(buffer);
|
|
|
|
buffer->Detach();
|
|
CHECK(buffer->was_detached());
|
|
|
|
// Make sure we can write to the buffer without crashing
|
|
uint32_t* int_buffer =
|
|
reinterpret_cast<uint32_t*>(external.backing_store());
|
|
int_buffer[0] = 0;
|
|
// Embedder frees contents.
|
|
}
|
|
CcTest::CollectAllAvailableGarbage();
|
|
}
|
|
|
|
TEST(Run_WasmModule_Buffer_Externalized_Regression_UseAfterFree) {
|
|
{
|
|
// Regression test for https://crbug.com/813876
|
|
Isolate* isolate = CcTest::InitIsolateOnce();
|
|
HandleScope scope(isolate);
|
|
MaybeHandle<WasmMemoryObject> result =
|
|
WasmMemoryObject::New(isolate, 1, 1, SharedFlag::kNotShared);
|
|
Handle<WasmMemoryObject> memory_object = result.ToHandleChecked();
|
|
Handle<JSArrayBuffer> buffer(memory_object->array_buffer(), isolate);
|
|
|
|
{
|
|
// Embedder requests contents.
|
|
ManuallyExternalizedBuffer external(buffer);
|
|
|
|
// Growing (even by 0) detaches the old buffer.
|
|
WasmMemoryObject::Grow(isolate, memory_object, 0);
|
|
CHECK(buffer->was_detached());
|
|
|
|
// Embedder frees contents.
|
|
}
|
|
|
|
// Make sure the memory object has a new buffer that can be written to.
|
|
uint32_t* int_buffer = reinterpret_cast<uint32_t*>(
|
|
memory_object->array_buffer().backing_store());
|
|
int_buffer[0] = 0;
|
|
}
|
|
CcTest::CollectAllAvailableGarbage();
|
|
}
|
|
|
|
#if V8_TARGET_ARCH_64_BIT
|
|
TEST(BackingStore_Reclaim) {
|
|
// Make sure we can allocate memories without running out of address space.
|
|
Isolate* isolate = CcTest::InitIsolateOnce();
|
|
for (int i = 0; i < 256; ++i) {
|
|
auto backing_store =
|
|
BackingStore::AllocateWasmMemory(isolate, 1, 1, SharedFlag::kNotShared);
|
|
CHECK(backing_store);
|
|
}
|
|
}
|
|
#endif
|
|
|
|
} // namespace internal
|
|
} // namespace v8
|