Issue 1489243004: Revert of [heap] Clean up stale store buffer entries for aborted pages.

Issue 1489243004: Revert of [heap] Clean up stale store buffer entries for aborted pages. (Closed)

Created:
5 years ago by Michael Lippautz

Modified:
5 years ago

Reviewers:
Hannes Payer (out of office), ulan

CC:
v8-reviews_googlegroups.com, Michael Hablich

Base URL:
https://chromium.googlesource.com/v8/v8.git@master

Target Ref:
refs/pending/heads/master

Project:
v8

Visibility:
Public.

More Reviews

Description

Revert of [heap] Clean up stale store buffer entries for aborted pages. (patchset #4 id:60001 of https://codereview.chromium.org/1493653002/ ) Reason for revert: Not completely correct fix. Original issue's description: > [heap] Clean up stale store buffer entries for aborted pages. > > 1. Let X be the aborted slot (slot in an evacuated object in an aborted page) > 2. Assume X contains pointer to Y and Y is in the new space, so X is in the > store buffer. > 3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)). > 4. The current mark-sweep finishes. The slot X is in free space and is also in > the store buffer. > 5. A string of length 9 "abcdefghi" is allocated in the new space. The string > looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is > previous garbage. Let's assume that NNNNNNN0 was pointing to a new space > object before. > 6. Scavenge happens. > 7. Slot X is still in free space and in store buffer. [It causes scavenge of > the object Y in > store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But > it is not important]. > 8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi > is written in X. > 9. The scavenge finishes. > 9. Another scavenge starts. > 10. We crash in > store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when > processing slot X, because it doesn't point to valid map. > > BUG=chromium:524425, chromium:564498 > LOG=N > R=hpayer@chromium.org, ulan@chromium.org > > Committed: https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572 > Cr-Commit-Position: refs/heads/master@{#32495} TBR=hpayer@chromium.org,ulan@chromium.org NOPRESUBMIT=true NOTREECHECKS=true NOTRY=true BUG=chromium:524425, chromium:564498 Committed: https://crrev.com/d4fc4a8cad0a8f94ea2a8bca7c76cebd8793395c Cr-Commit-Position: refs/heads/master@{#32504}

Patch Set 1 #

Created: 5 years ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+1 line, -9 lines)			Patch
	M	src/heap/mark-compact.cc	View		2 chunks	+0 lines, -7 lines	0 comments	Download
	M	src/heap/spaces.h	View		1 chunk	+1 line, -2 lines	0 comments	Download

Messages

Total messages: 5 (1 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

Michael Lippautz

Created Revert of [heap] Clean up stale store buffer entries for aborted pages.

5 years ago (2015-12-02 11:43:15 UTC) #1

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1489243004/1 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1489243004/1

5 years ago (2015-12-02 11:43:22 UTC) #2

commit-bot: I haz the power

Description was changed from ========== Revert of [heap] Clean up stale store buffer entries for ...

5 years ago (2015-12-02 11:43:48 UTC) #4

Message was sent while issue was closed.

Description was changed from

==========
Revert of [heap] Clean up stale store buffer entries for aborted pages.
(patchset #4 id:60001 of https://codereview.chromium.org/1493653002/ )

Reason for revert:
Not completely correct fix.

Original issue's description:
> [heap] Clean up stale store buffer entries for aborted pages.
> 
> 1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
> 2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
>     store buffer.
> 3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
> 4.  The current mark-sweep finishes. The slot X is in free space and is also
in
>     the store buffer.
> 5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
>     looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
>     previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
>     object before.
> 6.  Scavenge happens.
> 7.  Slot X is still in free space and in store buffer. [It causes scavenge of
>     the object Y in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
>     it is not important].
> 8.  Our string is promoted and is allocated over the slot X, such that
NNNNNNNi
>     is written in X.
> 9.  The scavenge finishes.
> 9.  Another scavenge starts.
> 10. We crash in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
>     processing slot X, because it doesn't point to valid map.
> 
> BUG=chromium:524425,chromium:564498
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
> 
> Committed: https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572
> Cr-Commit-Position: refs/heads/master@{#32495}

TBR=hpayer@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425,chromium:564498
==========

to

==========
Revert of [heap] Clean up stale store buffer entries for aborted pages.
(patchset #4 id:60001 of https://codereview.chromium.org/1493653002/ )

Reason for revert:
Not completely correct fix.

Original issue's description:
> [heap] Clean up stale store buffer entries for aborted pages.
>
> 1.  Let X be the aborted slot (slot in an evacuated object in an aborted page)
> 2.  Assume X contains pointer to Y and Y is in the new space, so X is in the
>     store buffer.
> 3.  Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
> 4.  The current mark-sweep finishes. The slot X is in free space and is also
in
>     the store buffer.
> 5.  A string of length 9 "abcdefghi" is allocated in the new space. The string
>     looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
>     previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
>     object before.
> 6.  Scavenge happens.
> 7.  Slot X is still in free space and in store buffer. [It causes scavenge of
>     the object Y in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
>     it is not important].
> 8.  Our string is promoted and is allocated over the slot X, such that
NNNNNNNi
>     is written in X.
> 9.  The scavenge finishes.
> 9.  Another scavenge starts.
> 10. We crash in
>     store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
>     processing slot X, because it doesn't point to valid map.
>
> BUG=chromium:524425,chromium:564498
> LOG=N
> R=hpayer@chromium.org, ulan@chromium.org
>
> Committed: https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572
> Cr-Commit-Position: refs/heads/master@{#32495}

TBR=hpayer@chromium.org,ulan@chromium.org
NOPRESUBMIT=true
NOTREECHECKS=true
NOTRY=true
BUG=chromium:524425,chromium:564498

Committed: https://crrev.com/d4fc4a8cad0a8f94ea2a8bca7c76cebd8793395c
Cr-Commit-Position: refs/heads/master@{#32504}
==========

commit-bot: I haz the power

5 years ago (2015-12-02 11:43:49 UTC) #5

Message was sent while issue was closed.

Patchset 1 (id:??) landed as
https://crrev.com/d4fc4a8cad0a8f94ea2a8bca7c76cebd8793395c
Cr-Commit-Position: refs/heads/master@{#32504}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages