[tagged] Make FreeSpace a HeapObjectLayout

LeszekSwirski · V8 LUCI CQ · commit 06bf293610ef · 2025-05-28T08:23:41.000-07:00
Bug: 42202654 Change-Id: I2c5d1a69d9bf0272b631e3fa7964026f3ccded11 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6596552 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/main@{#100564}
diff --git a/src/builtins/base.tq b/src/builtins/base.tq
@@ -58,9 +58,6 @@ type Zero extends PositiveSmi;
 // A tagged value represented by an all-zero bitpattern.
 type TaggedZeroPattern extends TaggedIndex;
 
-// A value with the size of Tagged which may contain arbitrary data.
-type Uninitialized extends Tagged;
-
 type BuiltinsName extends int31 constexpr 'Builtin';
 
 type UseCounterFeature extends int31
diff --git a/src/compiler/access-builder.cc b/src/compiler/access-builder.cc
@@ -914,7 +914,7 @@ FieldAccess AccessBuilder::ForNameRawHashField() {
 
 // static
 FieldAccess AccessBuilder::ForFreeSpaceSize() {
-  FieldAccess access = {kTaggedBase,         FreeSpace::kSizeOffset,
+  FieldAccess access = {kTaggedBase,         offsetof(FreeSpace, size_),
                         MaybeHandle<Name>(), OptionalMapRef(),
                         Type::SignedSmall(), MachineType::TaggedSigned(),
                         kNoWriteBarrier};
diff --git a/src/diagnostics/objects-debug.cc b/src/diagnostics/objects-debug.cc
@@ -349,6 +349,10 @@ void HeapObject::HeapObjectVerify(Isolate* isolate) {
       Cast<BigIntBase>(*this)->BigIntBaseVerify(isolate);
       break;
 
+    case FREE_SPACE_TYPE:
+      Cast<FreeSpace>(*this)->FreeSpaceVerify(isolate);
+      break;
+
     case JS_CLASS_CONSTRUCTOR_TYPE:
     case JS_PROMISE_CONSTRUCTOR_TYPE:
     case JS_REG_EXP_CONSTRUCTOR_TYPE:
@@ -381,6 +385,14 @@ void HeapObject::VerifyCodePointer(Isolate* isolate, Tagged<Object> p) {
   CHECK(IsInstructionStream(Cast<HeapObject>(p), cage_base));
 }
 
+void FreeSpace::FreeSpaceVerify(Isolate* isolate) {
+  CHECK(IsFreeSpace(this));
+  {
+    Tagged<Object> size = size_.Relaxed_Load();
+    CHECK(IsSmi(size));
+  }
+}
+
 void Name::NameVerify(Isolate* isolate) {
   PrimitiveHeapObjectVerify(isolate);
   CHECK(IsName(this));
diff --git a/src/diagnostics/objects-printer.cc b/src/diagnostics/objects-printer.cc
@@ -395,6 +395,9 @@ void HeapObject::HeapObjectPrint(std::ostream& os) {
     case BIG_INT_BASE_TYPE:
       Cast<BigIntBase>(*this)->BigIntBasePrint(os);
       break;
+    case FREE_SPACE_TYPE:
+      Cast<FreeSpace>(*this)->FreeSpacePrint(os);
+      break;
     case JS_CLASS_CONSTRUCTOR_TYPE:
     case JS_PROMISE_CONSTRUCTOR_TYPE:
     case JS_REG_EXP_CONSTRUCTOR_TYPE:
diff --git a/src/heap/free-list.cc b/src/heap/free-list.cc
@@ -28,7 +28,7 @@ void FreeListCategory::Unlink(FreeList* owner) {
 
 void FreeListCategory::Reset(FreeList* owner) {
   Unlink(owner);
-  set_top(FreeSpace());
+  set_top(Tagged<FreeSpace>());
   available_ = 0;
 }
 
@@ -39,7 +39,7 @@ Tagged<FreeSpace> FreeListCategory::PickNodeFromList(size_t minimum_size,
   DCHECK(MemoryChunk::FromHeapObject(node)->CanAllocate());
   if (static_cast<size_t>(node->Size()) < minimum_size) {
     *node_size = 0;
-    return FreeSpace();
+    return Tagged<FreeSpace>();
   }
   set_top(node->next());
   *node_size = node->Size();
@@ -80,7 +80,7 @@ Tagged<FreeSpace> FreeListCategory::SearchForNodeInList(size_t minimum_size,
 
     prev_non_evac_node = cur_node;
   }
-  return FreeSpace();
+  return Tagged<FreeSpace>();
 }
 
 void FreeListCategory::Free(const WritableFreeSpace& writable_free_space,
@@ -140,7 +140,7 @@ Tagged<FreeSpace> FreeList::TryFindNodeIn(FreeListCategoryType type,
                                           size_t minimum_size,
                                           size_t* node_size) {
   FreeListCategory* category = categories_[type];
-  if (category == nullptr) return FreeSpace();
+  if (category == nullptr) return Tagged<FreeSpace>();
   Tagged<FreeSpace> node = category->PickNodeFromList(minimum_size, node_size);
   if (!node.is_null()) {
     DecreaseAvailableBytes(*node_size);
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
@@ -6326,13 +6326,14 @@ void Heap::TearDown() {
 }
 
 // static
-bool Heap::IsFreeSpaceValid(FreeSpace object) {
+bool Heap::IsFreeSpaceValid(const FreeSpace* object) {
   Heap* heap = HeapUtils::GetOwnerHeap(object);
   Tagged<Object> free_space_map =
       heap->isolate()->root(RootIndex::kFreeSpaceMap);
   CHECK(!heap->deserialization_complete() ||
-        object.map_slot().contains_map_value(free_space_map.ptr()));
-  CHECK_LE(FreeSpace::kNextOffset + kTaggedSize, object.size(kRelaxedLoad));
+        object->map_slot().contains_map_value(free_space_map.ptr()));
+  CHECK_LE(offsetof(FreeSpace, next_) + kTaggedSize,
+           object->size(kRelaxedLoad));
   return true;
 }
 
diff --git a/src/heap/heap.h b/src/heap/heap.h
@@ -365,7 +365,7 @@ class Heap final {
            collector == GarbageCollector::MINOR_MARK_SWEEPER;
   }
 
-  V8_EXPORT_PRIVATE static bool IsFreeSpaceValid(FreeSpace object);
+  V8_EXPORT_PRIVATE static bool IsFreeSpaceValid(const FreeSpace* object);
 
   static inline GarbageCollector YoungGenerationCollector() {
     return (v8_flags.minor_ms) ? GarbageCollector::MINOR_MARK_SWEEPER
diff --git a/src/heap/sweeper.cc b/src/heap/sweeper.cc
@@ -1026,11 +1026,11 @@ std::optional<base::AddressRegion> Sweeper::ComputeDiscardMemoryArea(
 
 void Sweeper::ZeroOrDiscardUnusedMemory(PageMetadata* page, Address addr,
                                         size_t size) {
-  if (size < FreeSpace::kSize) {
+  if (size < sizeof(FreeSpace)) {
     return;
   }
 
-  const Address unused_start = addr + FreeSpace::kSize;
+  const Address unused_start = addr + sizeof(FreeSpace);
   DCHECK(page->ContainsLimit(unused_start));
   const Address unused_end = addr + size;
   DCHECK(page->ContainsLimit(unused_end));
diff --git a/src/objects/free-space-inl.h b/src/objects/free-space-inl.h
@@ -19,34 +19,30 @@
 namespace v8 {
 namespace internal {
 
-#include "torque-generated/src/objects/free-space-tq-inl.inc"
-
-TQ_OBJECT_CONSTRUCTORS_IMPL(FreeSpace)
-
-RELAXED_SMI_ACCESSORS(FreeSpace, size, kSizeOffset)
+int FreeSpace::size(RelaxedLoadTag) const {
+  return size_.Relaxed_Load().value();
+}
 
 // static
 inline void FreeSpace::SetSize(const WritableFreeSpace& writable_free_space,
                                int size, RelaxedStoreTag tag) {
-  writable_free_space.WriteHeaderSlot<Smi, kSizeOffset>(Smi::FromInt(size),
-                                                        tag);
+  writable_free_space.WriteHeaderSlot<Smi, offsetof(FreeSpace, size_)>(
+      Smi::FromInt(size), tag);
 }
 
 int FreeSpace::Size() { return size(kRelaxedLoad); }
 
 Tagged<FreeSpace> FreeSpace::next() const {
   DCHECK(IsValid());
 #ifdef V8_EXTERNAL_CODE_SPACE
-  intptr_t diff_to_next =
-      static_cast<intptr_t>(TaggedField<Smi, kNextOffset>::load(*this).value());
+  intptr_t diff_to_next{next_.Relaxed_Load().value()};
   if (diff_to_next == 0) {
-    return FreeSpace();
+    return {};
   }
   Address next_ptr = ptr() + diff_to_next * kObjectAlignment;
   return UncheckedCast<FreeSpace>(Tagged<Object>(next_ptr));
 #else
-  return UncheckedCast<FreeSpace>(
-      TaggedField<Object, kNextOffset>::load(*this));
+  return next_.Relaxed_Load();
 #endif  // V8_EXTERNAL_CODE_SPACE
 }
 
@@ -56,20 +52,21 @@ void FreeSpace::SetNext(const WritableFreeSpace& writable_free_space,
 
 #ifdef V8_EXTERNAL_CODE_SPACE
   if (next.is_null()) {
-    writable_free_space.WriteHeaderSlot<Smi, kNextOffset>(Smi::zero(),
-                                                          kRelaxedStore);
+    writable_free_space.WriteHeaderSlot<Smi, offsetof(FreeSpace, next_)>(
+        Smi::zero(), kRelaxedStore);
     return;
   }
   intptr_t diff_to_next = next.ptr() - ptr();
   DCHECK(IsAligned(diff_to_next, kObjectAlignment));
-  writable_free_space.WriteHeaderSlot<Smi, kNextOffset>(
+  writable_free_space.WriteHeaderSlot<Smi, offsetof(FreeSpace, next_)>(
       Smi::FromIntptr(diff_to_next / kObjectAlignment), kRelaxedStore);
 #else
-  writable_free_space.WriteHeaderSlot<Object, kNextOffset>(next, kRelaxedStore);
+  writable_free_space.WriteHeaderSlot<Object, offsetof(FreeSpace, next_)>(
+      next, kRelaxedStore);
 #endif  // V8_EXTERNAL_CODE_SPACE
 }
 
-bool FreeSpace::IsValid() const { return Heap::IsFreeSpaceValid(*this); }
+bool FreeSpace::IsValid() const { return Heap::IsFreeSpaceValid(this); }
 
 }  // namespace internal
 }  // namespace v8
diff --git a/src/objects/free-space.h b/src/objects/free-space.h
@@ -9,12 +9,11 @@
 
 // Has to be the last include (doesn't have include guards):
 #include "src/objects/object-macros.h"
+#include "src/objects/tagged-field.h"
 
 namespace v8 {
 namespace internal {
 
-#include "torque-generated/src/objects/free-space-tq.inc"
-
 // FreeSpace are fixed-size free memory blocks used by the heap and GC.
 // They look like heap objects (are heap object tagged and have a map) so that
 // the heap remains iterable.  They have a size and a next pointer.
@@ -30,10 +29,11 @@ namespace internal {
 //    31 bits),
 // b) it's independent of the pointer compression base and pointer compression
 //    scheme.
-class FreeSpace : public TorqueGeneratedFreeSpace<FreeSpace, HeapObject> {
+class FreeSpace : public HeapObjectLayout {
  public:
   // [size]: size of the free space including the header.
-  DECL_RELAXED_INT_ACCESSORS(size)
+  inline int size(RelaxedLoadTag) const;
+
   static inline void SetSize(const WritableFreeSpace& writable_free_space,
                              int size, RelaxedStoreTag);
   inline int Size();
@@ -45,13 +45,22 @@ class FreeSpace : public TorqueGeneratedFreeSpace<FreeSpace, HeapObject> {
 
   // Dispatched behavior.
   DECL_PRINTER(FreeSpace)
+  DECL_VERIFIER(FreeSpace)
 
   class BodyDescriptor;
 
  private:
+  friend class Heap;
+  friend class compiler::AccessBuilder;
+
   inline bool IsValid() const;
 
-  TQ_OBJECT_CONSTRUCTORS(FreeSpace)
+  TaggedMember<Smi> size_;
+#ifdef V8_EXTERNAL_CODE_SPACE
+  TaggedMember<Smi> next_;
+#else
+  TaggedMember<FreeSpace> next_;
+#endif  // V8_EXTERNAL_CODE_SPACE
 };
 
 }  // namespace internal
diff --git a/src/objects/free-space.tq b/src/objects/free-space.tq
@@ -2,7 +2,4 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
-extern class FreeSpace extends HeapObject {
-  size: Smi;
-  next: FreeSpace|Smi|Uninitialized;
-}
+extern class FreeSpace extends HeapObject;
diff --git a/src/objects/heap-object.h b/src/objects/heap-object.h
@@ -50,6 +50,8 @@ V8_OBJECT class HeapObjectLayout {
   inline void set_map_safe_transition(IsolateT* isolate, Tagged<Map> value,
                                       ReleaseStoreTag);
 
+  inline ObjectSlot map_slot() const;
+
   inline void set_map_safe_transition_no_write_barrier(
       Isolate* isolate, Tagged<Map> value, RelaxedStoreTag = kRelaxedStore);
 
diff --git a/src/objects/objects-inl.h b/src/objects/objects-inl.h
@@ -1557,6 +1557,10 @@ DEF_ACQUIRE_GETTER(HeapObject, map, Tagged<Map>) {
   return map_word(cage_base, kAcquireLoad).ToMap();
 }
 
+ObjectSlot HeapObjectLayout::map_slot() const {
+  return Tagged<HeapObject>(this)->map_slot();
+}
+
 ObjectSlot HeapObject::map_slot() const {
   return ObjectSlot(MapField::address(*this));
 }
diff --git a/src/snapshot/read-only-serializer.cc b/src/snapshot/read-only-serializer.cc
@@ -434,7 +434,7 @@ std::vector<ReadOnlyHeapImageSerializer::MemoryRegion> GetUnmappedRegions(
   Tagged<HeapObject> wasm_null_padding = ro_roots.wasm_null_padding();
   CHECK(IsFreeSpace(wasm_null_padding));
   Address wasm_null_padding_start =
-      wasm_null_padding.address() + FreeSpace::kHeaderSize;
+      wasm_null_padding.address() + sizeof(FreeSpace);
   std::vector<ReadOnlyHeapImageSerializer::MemoryRegion> unmapped;
   if (wasm_null.address() > wasm_null_padding_start) {
     unmapped.push_back({wasm_null_padding_start,
diff --git a/src/torque/constants.h b/src/torque/constants.h
@@ -37,7 +37,6 @@ static const char* const JSOBJECT_TYPE_STRING = "JSObject";
 static const char* const SMI_TYPE_STRING = "Smi";
 static const char* const TAGGED_TYPE_STRING = "Tagged";
 static const char* const STRONG_TAGGED_TYPE_STRING = "StrongTagged";
-static const char* const UNINITIALIZED_TYPE_STRING = "Uninitialized";
 static const char* const UNINITIALIZED_HEAP_OBJECT_TYPE_STRING =
     "UninitializedHeapObject";
 static const char* const RAWPTR_TYPE_STRING = "RawPtr";
diff --git a/src/torque/implementation-visitor.cc b/src/torque/implementation-visitor.cc
@@ -5314,8 +5314,6 @@ void GenerateClassFieldVerifier(const std::string& class_name,
   // Protected pointer fields cannot be read or verified from torque yet.
   if (field_type->IsSubtypeOf(TypeOracle::GetProtectedPointerType())) return;
   if (field_type == TypeOracle::GetFloat64OrUndefinedOrHoleType()) return;
-  // Do not verify if the field may be uninitialized.
-  if (TypeOracle::GetUninitializedType()->IsSubtypeOf(field_type)) return;
 
   std::string field_start_offset;
   if (f.index) {
diff --git a/src/torque/type-oracle.h b/src/torque/type-oracle.h
@@ -249,10 +249,6 @@ class TypeOracle : public base::ContextualClass<TypeOracle> {
     return Get().GetBuiltinType(STRONG_TAGGED_TYPE_STRING);
   }
 
-  static const Type* GetUninitializedType() {
-    return Get().GetBuiltinType(UNINITIALIZED_TYPE_STRING);
-  }
-
   static const Type* GetUninitializedHeapObjectType() {
     return Get().GetBuiltinType(
         QualifiedName({TORQUE_INTERNAL_NAMESPACE_STRING},
diff --git a/test/unittests/torque/torque-unittest.cc b/test/unittests/torque/torque-unittest.cc
@@ -48,7 +48,6 @@ type StrongTagged extends Tagged
 type Smi extends StrongTagged generates 'TNode<Smi>' constexpr 'Smi';
 type WeakHeapObject extends Tagged;
 type Weak<T : type extends HeapObject> extends WeakHeapObject;
-type Uninitialized extends Tagged;
 type TaggedIndex extends StrongTagged;
 type TaggedZeroPattern extends TaggedIndex;
 

Original file line number	Diff line number	Diff line change
`@@ -365,7 +365,7 @@ class Heap final {`
`365`	`365`	`collector == GarbageCollector::MINOR_MARK_SWEEPER;`
`366`	`366`	`}`
`367`	`367`
`368`		`- V8_EXPORT_PRIVATE static bool IsFreeSpaceValid(FreeSpace object);`
	`368`	`+ V8_EXPORT_PRIVATE static bool IsFreeSpaceValid(const FreeSpace* object);`
`369`	`369`
`370`	`370`	`static inline GarbageCollector YoungGenerationCollector() {`
`371`	`371`	`return (v8_flags.minor_ms) ? GarbageCollector::MINOR_MARK_SWEEPER`