Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
1493653002:
[heap] Clean up stale store buffer entries for aborted pages. (Closed)
|
Created:
5 years ago by Michael Lippautz Modified:
5 years ago CC:
v8-reviews_googlegroups.com, Michael Hablich Base URL:
https://chromium.googlesource.com/v8/v8.git@master Target Ref:
refs/pending/heads/master Project:
v8 Visibility:
Public. |
Description[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425, chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org
Committed: https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572
Cr-Commit-Position: refs/heads/master@{#32495}
Patch Set 1 #
Total comments: 2
Patch Set 2 : Added another DCHECK as suggested offline #Patch Set 3 : Addressed Hannes comment #Patch Set 4 : Remove explicit filter call for aborted pages. #Messages
Total messages: 23 (13 generated)
Description was changed from ========== [heap] Clean up stale store buffer entries for aborted pages. BUG=chromium:524425 LOG=N ========== to ========== [heap] Clean up stale store buffer entries for aborted pages. BUG=chromium:524425 LOG=N R=hpayer@chromium.org, ulan@chromium.org ==========
mlippautz@chromium.org changed reviewers: + hpayer@chromium.org, ulan@chromium.org
PTAL
lgtm
lgtm https://codereview.chromium.org/1493653002/diff/1/src/heap/spaces.h File src/heap/spaces.h (right): https://codereview.chromium.org/1493653002/diff/1/src/heap/spaces.h#newcode331 src/heap/spaces.h:331: // has been aborted and needs special handling, i.e., sweeper, and store sweeper and store buffer
Description was changed from ========== [heap] Clean up stale store buffer entries for aborted pages. BUG=chromium:524425 LOG=N R=hpayer@chromium.org, ulan@chromium.org ========== to ========== [heap] Clean up stale store buffer entries for aborted pages. 1. Let X be the aborted slot (slot in an evacuated object in an aborted page) 2. Assume X contains pointer to Y and Y is in the new space, so X is in the store buffer. 3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)). 4. The current mark-sweep finishes. The slot X is in free space and is also in the store buffer. 5. A string of length 9 "abcdefghi" is allocated in the new space. The string looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is previous garbage. Let's assume that NNNNNNN0 was pointing to a new space object before. 6. Scavenge happens. 7. Slot X is still in free space and in store buffer. [It causes scavenge of the object Y in store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But it is not important]. 8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi is written in X. 9. The scavenge finishes. 9. Another scavenge starts. 10. We crash in store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when processing slot X, because it doesn't point to valid map. BUG=chromium:524425 LOG=N R=hpayer@chromium.org, ulan@chromium.org ==========
Description was changed from ========== [heap] Clean up stale store buffer entries for aborted pages. 1. Let X be the aborted slot (slot in an evacuated object in an aborted page) 2. Assume X contains pointer to Y and Y is in the new space, so X is in the store buffer. 3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)). 4. The current mark-sweep finishes. The slot X is in free space and is also in the store buffer. 5. A string of length 9 "abcdefghi" is allocated in the new space. The string looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is previous garbage. Let's assume that NNNNNNN0 was pointing to a new space object before. 6. Scavenge happens. 7. Slot X is still in free space and in store buffer. [It causes scavenge of the object Y in store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But it is not important]. 8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi is written in X. 9. The scavenge finishes. 9. Another scavenge starts. 10. We crash in store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when processing slot X, because it doesn't point to valid map. BUG=chromium:524425 LOG=N R=hpayer@chromium.org, ulan@chromium.org ========== to ========== [heap] Clean up stale store buffer entries for aborted pages. 1. Let X be the aborted slot (slot in an evacuated object in an aborted page) 2. Assume X contains pointer to Y and Y is in the new space, so X is in the store buffer. 3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)). 4. The current mark-sweep finishes. The slot X is in free space and is also in the store buffer. 5. A string of length 9 "abcdefghi" is allocated in the new space. The string looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is previous garbage. Let's assume that NNNNNNN0 was pointing to a new space object before. 6. Scavenge happens. 7. Slot X is still in free space and in store buffer. [It causes scavenge of the object Y in store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But it is not important]. 8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi is written in X. 9. The scavenge finishes. 9. Another scavenge starts. 10. We crash in store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when processing slot X, because it doesn't point to valid map. BUG=chromium:524425 LOG=N R=hpayer@chromium.org, ulan@chromium.org ==========
https://codereview.chromium.org/1493653002/diff/1/src/heap/spaces.h File src/heap/spaces.h (right): https://codereview.chromium.org/1493653002/diff/1/src/heap/spaces.h#newcode331 src/heap/spaces.h:331: // has been aborted and needs special handling, i.e., sweeper, and store On 2015/12/02 08:46:31, Hannes Payer wrote: > sweeper and store buffer Done.
The CQ bit was checked by mlippautz@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from hpayer@chromium.org, ulan@chromium.org Link to the patchset: https://codereview.chromium.org/1493653002/#ps40001 (title: "Addressed Hannes comment")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1493653002/40001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1493653002/40001
Description was changed from
==========
[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425
LOG=N
R=hpayer@chromium.org, ulan@chromium.org
==========
to
==========
[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425,chromium:564498
LOG=N
R=hpayer@chromium.org,ulan@chromium.org
==========
Description was changed from
==========
[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425,chromium:564498
LOG=N
R=hpayer@chromium.org,ulan@chromium.org
==========
to
==========
[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425,chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org
==========
The CQ bit was unchecked by mlippautz@chromium.org
awesome! lgtm
The CQ bit was checked by mlippautz@chromium.org
The patchset sent to the CQ was uploaded after l-g-t-m from ulan@chromium.org Link to the patchset: https://codereview.chromium.org/1493653002/#ps60001 (title: "Remove explicit filter call for aborted pages.")
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1493653002/60001 View timeline at https://chromium-cq-status.appspot.com/patch-timeline/1493653002/60001
Message was sent while issue was closed.
Description was changed from
==========
[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425,chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org
==========
to
==========
[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425,chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org
==========
Message was sent while issue was closed.
Committed patchset #4 (id:60001)
Message was sent while issue was closed.
Description was changed from
==========
[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425,chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org
==========
to
==========
[heap] Clean up stale store buffer entries for aborted pages.
1. Let X be the aborted slot (slot in an evacuated object in an aborted page)
2. Assume X contains pointer to Y and Y is in the new space, so X is in the
store buffer.
3. Store buffer rebuilding will not filter out X (it checks InNewSpace(Y)).
4. The current mark-sweep finishes. The slot X is in free space and is also in
the store buffer.
5. A string of length 9 "abcdefghi" is allocated in the new space. The string
looks like |MAP|LENGTH|hgfedcba|NNNNNNNi| in memory, where NNNNNNN is
previous garbage. Let's assume that NNNNNNN0 was pointing to a new space
object before.
6. Scavenge happens.
7. Slot X is still in free space and in store buffer. [It causes scavenge of
the object Y in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject). But
it is not important].
8. Our string is promoted and is allocated over the slot X, such that NNNNNNNi
is written in X.
9. The scavenge finishes.
9. Another scavenge starts.
10. We crash in
store_buffer()->IteratePointersToNewSpace(&Scavenger::ScavengeObject) when
processing slot X, because it doesn't point to valid map.
BUG=chromium:524425,chromium:564498
LOG=N
R=hpayer@chromium.org, ulan@chromium.org
Committed: https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572
Cr-Commit-Position: refs/heads/master@{#32495}
==========
Message was sent while issue was closed.
Patchset 4 (id:??) landed as https://crrev.com/2e7eea4aef3403969fe885e30f892d46253b3572 Cr-Commit-Position: refs/heads/master@{#32495}
Message was sent while issue was closed.
A revert of this CL (patchset #4 id:60001) has been created in https://codereview.chromium.org/1489243004/ by mlippautz@chromium.org. The reason for reverting is: Not completely correct fix.. |
