[runtime] Make layout descriptor helper safe for concurrent marking.

ulan · Commit Bot · commit 61bf2cc69217 · 2017-11-17T21:57:23.000Z
The layout descriptor helper computes the object header size using map->instance_size() and map->GetInObjectProperties(). It races with finalization of slack tracking, which changes both the instance size and the in-object properties count. This patch replaces the in-object properties count byte in the map with the byte that stores the start offset of in-object properties. The new byte can be used in the layout descriptor to compute the object header size and it is immutable. This patch also renames InstanceSize to InstanceSizeInWords where the instance size is represented in words. Bug: chromium:786069, chromium:694255 Change-Id: I4b48c6944d3fe8a950bd7b0ba43d75216b177a78 Reviewed-on: https://chromium-review.googlesource.com/776720 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/master@{#49461}
diff --git a/src/bootstrapper.cc b/src/bootstrapper.cc
@@ -805,6 +805,9 @@ Handle<Map> CreateNonConstructorMap(Handle<Map> source_map,
     // TODO(ulan): Do not change instance size after map creation.
     int unused_property_fields = map->UnusedPropertyFields();
     map->set_instance_size(map->instance_size() + kPointerSize);
+    // The prototype slot shifts the in-object properties area by one slot.
+    map->SetInObjectPropertiesStartInWords(
+        map->GetInObjectPropertiesStartInWords() + 1);
     map->set_has_prototype_slot(true);
     map->SetInObjectUnusedPropertyFields(unused_property_fields);
   }
@@ -3369,6 +3372,9 @@ void Genesis::InitializeGlobal(Handle<JSGlobalObject> global_object,
     // TODO(ulan): Do not change instance size after map creation.
     int unused_property_fields = proxy_function_map->UnusedPropertyFields();
     proxy_function_map->set_instance_size(JSFunction::kSizeWithPrototype);
+    // The prototype slot shifts the in-object properties area by one slot.
+    proxy_function_map->SetInObjectPropertiesStartInWords(
+        proxy_function_map->GetInObjectPropertiesStartInWords() + 1);
     proxy_function_map->set_has_prototype_slot(true);
     proxy_function_map->set_is_constructor(true);
     proxy_function_map->SetInObjectUnusedPropertyFields(unused_property_fields);
diff --git a/src/builtins/builtins-async-gen.cc b/src/builtins/builtins-async-gen.cc
@@ -57,7 +57,7 @@ Node* AsyncBuiltinsAssembler::Await(
       LoadObjectField(promise_fun, JSFunction::kPrototypeOrInitialMapOffset);
   // Assert that the JSPromise map has an instance size is
   // JSPromise::kSizeWithEmbedderFields.
-  CSA_ASSERT(this, WordEqual(LoadMapInstanceSize(promise_map),
+  CSA_ASSERT(this, WordEqual(LoadMapInstanceSizeInWords(promise_map),
                              IntPtrConstant(JSPromise::kSizeWithEmbedderFields /
                                             kPointerSize)));
   Node* const wrapped_value = InnerAllocate(base, kWrappedPromiseOffset);
@@ -158,7 +158,7 @@ void AsyncBuiltinsAssembler::InitializeNativeClosure(Node* context,
       native_context, Context::STRICT_FUNCTION_WITHOUT_PROTOTYPE_MAP_INDEX);
   // Ensure that we don't have to initialize prototype_or_initial_map field of
   // JSFunction.
-  CSA_ASSERT(this, WordEqual(LoadMapInstanceSize(function_map),
+  CSA_ASSERT(this, WordEqual(LoadMapInstanceSizeInWords(function_map),
                              IntPtrConstant(JSFunction::kSizeWithoutPrototype /
                                             kPointerSize)));
   StoreMapNoWriteBarrier(function, function_map);
diff --git a/src/builtins/builtins-constructor-gen.cc b/src/builtins/builtins-constructor-gen.cc
@@ -84,7 +84,7 @@ Node* ConstructorBuiltinsAssembler::EmitFastNewClosure(Node* shared_info,
 
   // Create a new closure from the given function info in new space
   Node* instance_size_in_bytes =
-      TimesPointerSize(LoadMapInstanceSize(function_map));
+      TimesPointerSize(LoadMapInstanceSizeInWords(function_map));
   Node* result = Allocate(instance_size_in_bytes);
   StoreMapNoWriteBarrier(result, function_map);
   InitializeJSObjectBodyNoSlackTracking(result, function_map,
@@ -508,7 +508,8 @@ Node* ConstructorBuiltinsAssembler::EmitCreateShallowObjectLiteral(
   // Ensure new-space allocation for a fresh JSObject so we can skip write
   // barriers when copying all object fields.
   STATIC_ASSERT(JSObject::kMaxInstanceSize < kMaxRegularHeapObjectSize);
-  Node* instance_size = TimesPointerSize(LoadMapInstanceSize(boilerplate_map));
+  Node* instance_size =
+      TimesPointerSize(LoadMapInstanceSizeInWords(boilerplate_map));
   Node* allocation_size = instance_size;
   bool needs_allocation_memento = FLAG_allocation_site_pretenuring;
   if (needs_allocation_memento) {
diff --git a/src/code-stub-assembler.cc b/src/code-stub-assembler.cc
@@ -1362,19 +1362,20 @@ TNode<PrototypeInfo> CodeStubAssembler::LoadMapPrototypeInfo(
   return CAST(prototype_info);
 }
 
-TNode<IntPtrT> CodeStubAssembler::LoadMapInstanceSize(SloppyTNode<Map> map) {
+TNode<IntPtrT> CodeStubAssembler::LoadMapInstanceSizeInWords(
+    SloppyTNode<Map> map) {
   CSA_SLOW_ASSERT(this, IsMap(map));
-  return ChangeInt32ToIntPtr(
-      LoadObjectField(map, Map::kInstanceSizeOffset, MachineType::Uint8()));
+  return ChangeInt32ToIntPtr(LoadObjectField(
+      map, Map::kInstanceSizeInWordsOffset, MachineType::Uint8()));
 }
 
-TNode<IntPtrT> CodeStubAssembler::LoadMapInobjectProperties(
+TNode<IntPtrT> CodeStubAssembler::LoadMapInobjectPropertiesStartInWords(
     SloppyTNode<Map> map) {
   CSA_SLOW_ASSERT(this, IsMap(map));
-  // See Map::GetInObjectProperties() for details.
+  // See Map::GetInObjectPropertiesStartInWords() for details.
   CSA_ASSERT(this, IsJSObjectMap(map));
   return ChangeInt32ToIntPtr(LoadObjectField(
-      map, Map::kInObjectPropertiesOrConstructorFunctionIndexOffset,
+      map, Map::kInObjectPropertiesStartOrConstructorFunctionIndexOffset,
       MachineType::Uint8()));
 }
 
@@ -1384,7 +1385,7 @@ TNode<IntPtrT> CodeStubAssembler::LoadMapConstructorFunctionIndex(
   // See Map::GetConstructorFunctionIndex() for details.
   CSA_ASSERT(this, IsPrimitiveInstanceType(LoadMapInstanceType(map)));
   return ChangeInt32ToIntPtr(LoadObjectField(
-      map, Map::kInObjectPropertiesOrConstructorFunctionIndexOffset,
+      map, Map::kInObjectPropertiesStartOrConstructorFunctionIndexOffset,
       MachineType::Uint8()));
 }
 
@@ -2464,7 +2465,7 @@ Node* CodeStubAssembler::CopyNameDictionary(Node* dictionary,
 Node* CodeStubAssembler::AllocateStruct(Node* map, AllocationFlags flags) {
   Comment("AllocateStruct");
   CSA_ASSERT(this, IsMap(map));
-  Node* size = TimesPointerSize(LoadMapInstanceSize(map));
+  Node* size = TimesPointerSize(LoadMapInstanceSizeInWords(map));
   Node* object = Allocate(size, flags);
   StoreMapNoWriteBarrier(object, map);
   InitializeStructBody(object, map, size, Struct::kHeaderSize);
@@ -2492,7 +2493,7 @@ Node* CodeStubAssembler::AllocateJSObjectFromMap(
   CSA_ASSERT(this, Word32BinaryNot(IsJSFunctionMap(map)));
   CSA_ASSERT(this, Word32BinaryNot(InstanceTypeEqual(LoadMapInstanceType(map),
                                                      JS_GLOBAL_OBJECT_TYPE)));
-  Node* instance_size = TimesPointerSize(LoadMapInstanceSize(map));
+  Node* instance_size = TimesPointerSize(LoadMapInstanceSizeInWords(map));
   Node* object = AllocateInNewSpace(instance_size, flags);
   StoreMapNoWriteBarrier(object, map);
   InitializeJSObjectFromMap(object, map, instance_size, properties, elements,
@@ -6616,19 +6617,19 @@ void CodeStubAssembler::LoadPropertyFromFastObject(Node* object, Node* map,
     Node* representation =
         DecodeWord32<PropertyDetails::RepresentationField>(details);
 
-    Node* inobject_properties = LoadMapInobjectProperties(map);
+    field_index =
+        IntPtrAdd(field_index, LoadMapInobjectPropertiesStartInWords(map));
+    Node* instance_size_in_words = LoadMapInstanceSizeInWords(map);
 
     Label if_inobject(this), if_backing_store(this);
     VARIABLE(var_double_value, MachineRepresentation::kFloat64);
     Label rebox_double(this, &var_double_value);
-    Branch(UintPtrLessThan(field_index, inobject_properties), &if_inobject,
+    Branch(UintPtrLessThan(field_index, instance_size_in_words), &if_inobject,
            &if_backing_store);
     BIND(&if_inobject);
     {
       Comment("if_inobject");
-      Node* field_offset = TimesPointerSize(
-          IntPtrAdd(IntPtrSub(LoadMapInstanceSize(map), inobject_properties),
-                    field_index));
+      Node* field_offset = TimesPointerSize(field_index);
 
       Label if_double(this), if_tagged(this);
       Branch(Word32NotEqual(representation,
@@ -6655,7 +6656,7 @@ void CodeStubAssembler::LoadPropertyFromFastObject(Node* object, Node* map,
     {
       Comment("if_backing_store");
       Node* properties = LoadFastProperties(object);
-      field_index = IntPtrSub(field_index, inobject_properties);
+      field_index = IntPtrSub(field_index, instance_size_in_words);
       Node* value = LoadFixedArrayElement(properties, field_index);
 
       Label if_double(this), if_tagged(this);
diff --git a/src/code-stub-assembler.h b/src/code-stub-assembler.h
@@ -505,9 +505,9 @@ class V8_EXPORT_PRIVATE CodeStubAssembler : public compiler::CodeAssembler {
   TNode<PrototypeInfo> LoadMapPrototypeInfo(SloppyTNode<Map> map,
                                             Label* if_has_no_proto_info);
   // Load the instance size of a Map.
-  TNode<IntPtrT> LoadMapInstanceSize(SloppyTNode<Map> map);
-  // Load the inobject properties count of a Map (valid only for JSObjects).
-  TNode<IntPtrT> LoadMapInobjectProperties(SloppyTNode<Map> map);
+  TNode<IntPtrT> LoadMapInstanceSizeInWords(SloppyTNode<Map> map);
+  // Load the inobject properties start of a Map (valid only for JSObjects).
+  TNode<IntPtrT> LoadMapInobjectPropertiesStartInWords(SloppyTNode<Map> map);
   // Load the constructor function index of a Map (only for primitive maps).
   TNode<IntPtrT> LoadMapConstructorFunctionIndex(SloppyTNode<Map> map);
   // Load the constructor of a Map (equivalent to Map::GetConstructor()).
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
@@ -2398,7 +2398,8 @@ AllocationResult Heap::AllocatePartialMap(InstanceType instance_type,
   }
   // GetVisitorId requires a properly initialized LayoutDescriptor.
   map->set_visitor_id(Map::GetVisitorId(map));
-  map->set_inobject_properties_or_constructor_function_index(0);
+  map->set_inobject_properties_start_or_constructor_function_index(0);
+  DCHECK(!map->IsJSObjectMap());
   map->SetInObjectUnusedPropertyFields(0);
   map->set_bit_field(0);
   map->set_bit_field2(0);
@@ -2425,8 +2426,14 @@ AllocationResult Heap::AllocateMap(InstanceType instance_type,
   map->set_prototype(null_value(), SKIP_WRITE_BARRIER);
   map->set_constructor_or_backpointer(null_value(), SKIP_WRITE_BARRIER);
   map->set_instance_size(instance_size);
-  map->set_inobject_properties_or_constructor_function_index(
-      inobject_properties);
+  if (map->IsJSObjectMap()) {
+    map->SetInObjectPropertiesStartInWords(instance_size / kPointerSize -
+                                           inobject_properties);
+    DCHECK_EQ(map->GetInObjectProperties(), inobject_properties);
+  } else {
+    DCHECK_EQ(inobject_properties, 0);
+    map->set_inobject_properties_start_or_constructor_function_index(0);
+  }
   map->set_dependent_code(DependentCode::cast(empty_fixed_array()),
                           SKIP_WRITE_BARRIER);
   map->set_weak_cell_cache(Smi::kZero);
diff --git a/src/ic/keyed-store-generic.cc b/src/ic/keyed-store-generic.cc
@@ -686,17 +686,17 @@ void KeyedStoreGenericAssembler::OverwriteExistingFastProperty(
                  slow);
   Node* field_index =
       DecodeWordFromWord32<PropertyDetails::FieldIndexField>(details);
-  Node* inobject_properties = LoadMapInobjectProperties(object_map);
+  field_index =
+      IntPtrAdd(field_index, LoadMapInobjectPropertiesStartInWords(object_map));
+  Node* instance_size_in_words = LoadMapInstanceSizeInWords(object_map);
 
   Label inobject(this), backing_store(this);
-  Branch(UintPtrLessThan(field_index, inobject_properties), &inobject,
+  Branch(UintPtrLessThan(field_index, instance_size_in_words), &inobject,
          &backing_store);
 
   BIND(&inobject);
   {
-    Node* field_offset = TimesPointerSize(IntPtrAdd(
-        IntPtrSub(LoadMapInstanceSize(object_map), inobject_properties),
-        field_index));
+    Node* field_offset = TimesPointerSize(field_index);
     Label tagged_rep(this), double_rep(this);
     Branch(Word32Equal(representation, Int32Constant(Representation::kDouble)),
            &double_rep, &tagged_rep);
@@ -722,7 +722,7 @@ void KeyedStoreGenericAssembler::OverwriteExistingFastProperty(
 
   BIND(&backing_store);
   {
-    Node* backing_store_index = IntPtrSub(field_index, inobject_properties);
+    Node* backing_store_index = IntPtrSub(field_index, instance_size_in_words);
     Label tagged_rep(this), double_rep(this);
     Branch(Word32Equal(representation, Int32Constant(Representation::kDouble)),
            &double_rep, &tagged_rep);
diff --git a/src/layout-descriptor-inl.h b/src/layout-descriptor-inl.h
@@ -219,9 +219,7 @@ LayoutDescriptorHelper::LayoutDescriptorHelper(Map* map)
     return;
   }
 
-  int inobject_properties = map->GetInObjectProperties();
-  DCHECK_GT(inobject_properties, 0);
-  header_size_ = map->instance_size() - (inobject_properties * kPointerSize);
+  header_size_ = map->GetInObjectPropertiesStartInWords() * kPointerSize;
   DCHECK_GE(header_size_, 0);
 
   all_fields_tagged_ = false;
diff --git a/src/objects-inl.h b/src/objects-inl.h
@@ -2980,51 +2980,68 @@ void Map::set_visitor_id(VisitorId id) {
   WRITE_BYTE_FIELD(this, kVisitorIdOffset, static_cast<byte>(id));
 }
 
+int Map::instance_size_in_words() const {
+  return RELAXED_READ_BYTE_FIELD(this, kInstanceSizeInWordsOffset);
+}
+
+void Map::set_instance_size_in_words(int value) {
+  RELAXED_WRITE_BYTE_FIELD(this, kInstanceSizeInWordsOffset,
+                           static_cast<byte>(value));
+}
+
 int Map::instance_size() const {
-  return RELAXED_READ_BYTE_FIELD(this, kInstanceSizeOffset) << kPointerSizeLog2;
+  return instance_size_in_words() << kPointerSizeLog2;
 }
 
-int Map::inobject_properties_or_constructor_function_index() const {
-  return RELAXED_READ_BYTE_FIELD(
-      this, kInObjectPropertiesOrConstructorFunctionIndexOffset);
+void Map::set_instance_size(int value) {
+  DCHECK_EQ(0, value & (kPointerSize - 1));
+  value >>= kPointerSizeLog2;
+  DCHECK(0 <= value && value < 256);
+  set_instance_size_in_words(value);
 }
 
+int Map::inobject_properties_start_or_constructor_function_index() const {
+  return RELAXED_READ_BYTE_FIELD(
+      this, kInObjectPropertiesStartOrConstructorFunctionIndexOffset);
+}
 
-void Map::set_inobject_properties_or_constructor_function_index(int value) {
+void Map::set_inobject_properties_start_or_constructor_function_index(
+    int value) {
   DCHECK_LE(0, value);
   DCHECK_LT(value, 256);
-  RELAXED_WRITE_BYTE_FIELD(this,
-                           kInObjectPropertiesOrConstructorFunctionIndexOffset,
-                           static_cast<byte>(value));
+  RELAXED_WRITE_BYTE_FIELD(
+      this, kInObjectPropertiesStartOrConstructorFunctionIndexOffset,
+      static_cast<byte>(value));
 }
 
-int Map::GetInObjectProperties() const {
+int Map::GetInObjectPropertiesStartInWords() const {
   DCHECK(IsJSObjectMap());
-  return inobject_properties_or_constructor_function_index();
+  return inobject_properties_start_or_constructor_function_index();
 }
 
+void Map::SetInObjectPropertiesStartInWords(int value) {
+  DCHECK(IsJSObjectMap());
+  set_inobject_properties_start_or_constructor_function_index(value);
+}
 
-void Map::SetInObjectProperties(int value) {
+int Map::GetInObjectProperties() const {
   DCHECK(IsJSObjectMap());
-  set_inobject_properties_or_constructor_function_index(value);
+  return instance_size_in_words() - GetInObjectPropertiesStartInWords();
 }
 
 int Map::GetConstructorFunctionIndex() const {
   DCHECK(IsPrimitiveMap());
-  return inobject_properties_or_constructor_function_index();
+  return inobject_properties_start_or_constructor_function_index();
 }
 
 
 void Map::SetConstructorFunctionIndex(int value) {
   DCHECK(IsPrimitiveMap());
-  set_inobject_properties_or_constructor_function_index(value);
+  set_inobject_properties_start_or_constructor_function_index(value);
 }
 
 int Map::GetInObjectPropertyOffset(int index) const {
-  // Adjust for the number of properties stored in the object.
-  index -= GetInObjectProperties();
-  DCHECK_LE(index, 0);
-  return instance_size() + (index * kPointerSize);
+  return (GetInObjectPropertiesStartInWords() + index) * kPointerSize;
 }
 
 
@@ -3099,15 +3116,6 @@ int HeapObject::SizeFromMap(Map* map) const {
   return reinterpret_cast<const Code*>(this)->CodeSize();
 }
 
-
-void Map::set_instance_size(int value) {
-  DCHECK_EQ(0, value & (kPointerSize - 1));
-  value >>= kPointerSizeLog2;
-  DCHECK(0 <= value && value < 256);
-  RELAXED_WRITE_BYTE_FIELD(this, kInstanceSizeOffset, static_cast<byte>(value));
-}
-
-
 InstanceType Map::instance_type() const {
   return static_cast<InstanceType>(READ_BYTE_FIELD(this, kInstanceTypeOffset));
 }
@@ -3195,7 +3203,7 @@ void Map::AccountAddedPropertyField() {
   // Update used_instance_size_in_words.
   int value = used_instance_size_in_words();
   if (value >= JSObject::kFieldsAdded) {
-    if (value == instance_size() / kPointerSize) {
+    if (value == instance_size_in_words()) {
       AccountAddedOutOfObjectPropertyField(0);
     } else {
       // The property is added in-object, so simply increment the counter.
@@ -3225,7 +3233,7 @@ void Map::VerifyUnusedPropertyFields() const {
     int value = used_instance_size_in_words();
     int unused;
     if (value >= JSObject::kFieldsAdded) {
-      unused = instance_size() / kPointerSize - value;
+      unused = instance_size_in_words() - value;
     } else {
       // For out of object properties "used_instance_size_in_words" byte encodes
       // the slack in the property array.
diff --git a/src/objects.cc b/src/objects.cc
@@ -9579,7 +9579,8 @@ Handle<Map> Map::Create(Isolate* isolate, int inobject_properties) {
 
   // Adjust the map with the extra inobject properties.
   copy->set_instance_size(new_instance_size);
-  copy->SetInObjectProperties(inobject_properties);
+  copy->SetInObjectPropertiesStartInWords(JSObject::kHeaderSize / kPointerSize);
+  DCHECK_EQ(copy->GetInObjectProperties(), inobject_properties);
   copy->SetInObjectUnusedPropertyFields(inobject_properties);
   copy->set_visitor_id(Map::GetVisitorId(*copy));
   return copy;
@@ -12322,7 +12323,6 @@ static void ShrinkInstanceSize(Map* map, void* data) {
 #endif
   int slack = *reinterpret_cast<int*>(data);
   DCHECK_GE(slack, 0);
-  map->SetInObjectProperties(map->GetInObjectProperties() - slack);
   map->set_unused_property_fields(map->unused_property_fields() - slack);
   map->set_instance_size(map->instance_size() - slack * kPointerSize);
   map->set_construction_counter(Map::kNoSlackTracking);
diff --git a/src/objects/map.h b/src/objects/map.h
diff --git a/tools/gen-postmortem-metadata.py b/tools/gen-postmortem-metadata.py

Original file line number	Diff line number	Diff line change
`@@ -219,9 +219,7 @@ LayoutDescriptorHelper::LayoutDescriptorHelper(Map* map)`
`219`	`219`	`return;`
`220`	`220`	`}`
`221`	`221`
`222`		`- int inobject_properties = map->GetInObjectProperties();`
`223`		`- DCHECK_GT(inobject_properties, 0);`
`224`		`- header_size_ = map->instance_size() - (inobject_properties * kPointerSize);`
	`222`	`+ header_size_ = map->GetInObjectPropertiesStartInWords() * kPointerSize;`
`225`	`223`	`DCHECK_GE(header_size_, 0);`
`226`	`224`
`227`	`225`	`all_fields_tagged_ = false;`