[heap] Do not trace through blink after making weak roots strong for finalizers

[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

This is a short-term solution (mimicing what object grouping currently does). It
is not correct in general because we should fully process the subgraph that was
discovered by making some of the weak roots strong.  In long term we need  a
separate handle type on the API level for traced references that have their
handles zapped at a different stage.

Reproduction:
- Initial marking is done, i.e., both marking deques are empty.
- We make weak roots needed for regular finalizers strong.
- We collect phantom callback data and zap handles that are not reachable so far.
- Through new roots we discover wrappables on the blink side that would also keep
  objects that were already scheduled for phantom callbacks alive.
- Since the handle was already zapped we crash during dereferencing.

BUG=chromium:668060, chromium:468240
Review-Url: https://codereview.chromium.org/2580813002
Cr-Commit-Position: refs/heads/master@{#41724}
Committed: https://chromium.googlesource.com/v8/v8/+/af6d01a168c8c61f096edf4e54e97add97f36deb

[Michael Lippautz, 2016-12-15 13:37:34]

Description was changed from

==========
[heap] Do not trace through blink after making weak roots strong for finalizers

BUG=
==========

to

==========
[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

In long term we should have a separate handle type on the API level for traced
references that have their handles zapped at a different stage. 

BUG=chromium:668060,chromium:468240
==========

[Michael Lippautz, 2016-12-15 13:39:38]

Description was changed from

==========
[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

In long term we should have a separate handle type on the API level for traced
references that have their handles zapped at a different stage. 

BUG=chromium:668060,chromium:468240
==========

to

==========
[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

In long term we should have a separate handle type on the API level for traced
references that have their handles zapped at a different stage.

Reproduction:
- Initial marking is done, i.e., both marking deques are empty.
- We make weak roots needed for regular finalizers strong.
- We collect phantom callback data and zap handles that are not reachable so
far.
- Through new roots we discover wrappables on the blink side that would also
keep
  objects that were already scheduled for phantom callbacks alive.
- Since the handle was already zapped we crash during dereferencing.

BUG=chromium:668060,chromium:468240
==========

[Michael Lippautz, 2016-12-15 13:41:15]

Description was changed from

==========
[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

In long term we should have a separate handle type on the API level for traced
references that have their handles zapped at a different stage.

Reproduction:
- Initial marking is done, i.e., both marking deques are empty.
- We make weak roots needed for regular finalizers strong.
- We collect phantom callback data and zap handles that are not reachable so
far.
- Through new roots we discover wrappables on the blink side that would also
keep
  objects that were already scheduled for phantom callbacks alive.
- Since the handle was already zapped we crash during dereferencing.

BUG=chromium:668060,chromium:468240
==========

to

==========
[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

This is a short-term solution (mimicing what object grouping currently does). It
is not correct in general because we should fully process the subgraph that was
discovered by making some of the weak roots strong.  In long term we need  a
separate handle type on the API level for traced references that have their
handles zapped at a different stage.

Reproduction:
- Initial marking is done, i.e., both marking deques are empty.
- We make weak roots needed for regular finalizers strong.
- We collect phantom callback data and zap handles that are not reachable so
far.
- Through new roots we discover wrappables on the blink side that would also
keep
  objects that were already scheduled for phantom callbacks alive.
- Since the handle was already zapped we crash during dereferencing.

BUG=chromium:668060,chromium:468240
==========

[Michael Lippautz, 2016-12-15 14:01:46]

mlippautz@chromium.org changed reviewers:
+ jochen@chromium.org

[Michael Lippautz, 2016-12-15 14:01:46]

jochen: ptal
haraken/hlopko: fyi

This fixes the RegisterExternallyReferencedObject crasher by aligning the
behavior to object grouping. As the descripton says: I plan to create a separate
handle type that is zapped at a different phase so that we can trace through
here. This only matters for subgraphs that are resurrected for finalizers and
the same case currently exists for object grouping.

[Michael Lippautz, 2016-12-15 14:10:33]

The CQ bit was checked by mlippautz@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2016-12-15 14:10:42]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[jochen (gone - plz use gerrit), 2016-12-15 14:15:14]

lgtm

[commit-bot: I haz the power, 2016-12-15 14:36:13]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2016-12-15 14:36:14]

Dry run: This issue passed the CQ dry run.

[Michael Lippautz, 2016-12-15 14:38:20]

The CQ bit was checked by mlippautz@chromium.org

[commit-bot: I haz the power, 2016-12-15 14:38:24]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2016-12-15 14:39:59]

CQ is committing da patch.

Bot data: {"patchset_id": 40001, "attempt_start_ts": 1481812700743200,
"parent_rev": "ed080e69665c96f9e5e61cf1d0e1ce377fc5aca6", "commit_rev":
"af6d01a168c8c61f096edf4e54e97add97f36deb"}

[commit-bot: I haz the power, 2016-12-15 14:40:03]

Description was changed from

==========
[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

This is a short-term solution (mimicing what object grouping currently does). It
is not correct in general because we should fully process the subgraph that was
discovered by making some of the weak roots strong.  In long term we need  a
separate handle type on the API level for traced references that have their
handles zapped at a different stage.

Reproduction:
- Initial marking is done, i.e., both marking deques are empty.
- We make weak roots needed for regular finalizers strong.
- We collect phantom callback data and zap handles that are not reachable so
far.
- Through new roots we discover wrappables on the blink side that would also
keep
  objects that were already scheduled for phantom callbacks alive.
- Since the handle was already zapped we crash during dereferencing.

BUG=chromium:668060,chromium:468240
==========

to

==========
[heap] Do not trace through blink after making weak roots strong for finalizers

Similar to object grouping, we cannot trace through blink (and back to V8) after
making weak roots strong because phantom callbacks have already been scheduled
and the handles been zapped.

This is a short-term solution (mimicing what object grouping currently does). It
is not correct in general because we should fully process the subgraph that was
discovered by making some of the weak roots strong.  In long term we need  a
separate handle type on the API level for traced references that have their
handles zapped at a different stage.

Reproduction:
- Initial marking is done, i.e., both marking deques are empty.
- We make weak roots needed for regular finalizers strong.
- We collect phantom callback data and zap handles that are not reachable so
far.
- Through new roots we discover wrappables on the blink side that would also
keep
  objects that were already scheduled for phantom callbacks alive.
- Since the handle was already zapped we crash during dereferencing.

BUG=chromium:668060,chromium:468240

Review-Url: https://codereview.chromium.org/2580813002
Cr-Commit-Position: refs/heads/master@{#41724}
Committed:
https://chromium.googlesource.com/v8/v8/+/af6d01a168c8c61f096edf4e54e97add97f...
==========

[commit-bot: I haz the power, 2016-12-15 14:40:03]

Committed patchset #3 (id:40001) as
https://chromium.googlesource.com/v8/v8/+/af6d01a168c8c61f096edf4e54e97add97f...