Skip to content

Commit a1d0bf6

Browse files
Dominik InführV8 LUCI CQ
Dominik Inführ
authored and
V8 LUCI CQ
committed
[codegen] Improve WB verification for allocation folding
So far for allocation folding we were simply checking whether the object resides between the LAB start and LAB top in PreCheckSkippedWriteBarrier. However, we can be more restrictive than that and require that the object is between last_young_allocation_ and the LAB top. Since last_young_allocation_ can point to a large object as well, we also need to make sure that last_young_allocation_ points into the LAB. This CL therefore checks whether the condition LAB start <= last_young_allocation_ <= object < LAB top holds. Bug: 437096305 Change-Id: I5e0748ff553e337176ef07dbee21818cacfe8b10 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6959212 Reviewed-by: Darius Mercadier <[email protected]> Commit-Queue: Dominik Inführ <[email protected]> Cr-Commit-Position: refs/heads/main@{#102584}
1 parent 7ad0d37 commit a1d0bf6

4 files changed

Lines changed: 68 additions & 34 deletions

File tree

src/codegen/arm/macro-assembler-arm.cc

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -3008,21 +3008,30 @@ void MacroAssembler::PreCheckSkippedWriteBarrier(Register object,
30083008

30093009
Label not_ok;
30103010

3011-
// Handle allocation folding: Allow write barrier removal if LAB start <=
3012-
// object < LAB top.
3011+
// Handle allocation folding, allow WB removal if:
3012+
// LAB start <= last_young_allocation_ < (object address+1) < LAB top
3013+
// Note that object has tag bit set, so object == object address+1.
3014+
30133015
{
30143016
UseScratchRegisterScope temps(this);
30153017
Register scratch1 = temps.Acquire();
3016-
// Recompute object address here because scratch was clobbered by
3017-
// CheckPageFlag.
3018-
sub(scratch, object, Operand(kHeapObjectTag));
3019-
ldr(scratch1, MemOperand(kRootRegister,
3020-
IsolateData::new_allocation_info_start_offset()));
3021-
cmp(scratch, scratch1);
3022-
b(Condition::kUnsignedLessThan, &not_ok);
3023-
ldr(scratch1, MemOperand(kRootRegister,
3024-
IsolateData::new_allocation_info_top_offset()));
3018+
3019+
// Check LAB start <= last_young_allocation_.
3020+
ldr(scratch, MemOperand(kRootRegister,
3021+
IsolateData::new_allocation_info_start_offset()));
3022+
ldr(scratch1,
3023+
MemOperand(kRootRegister, IsolateData::last_young_allocation_offset()));
30253024
cmp(scratch, scratch1);
3025+
b(Condition::kUnsignedGreaterThan, &not_ok);
3026+
3027+
// Check last_young_allocation_ < (object address+1).
3028+
cmp(scratch1, object);
3029+
b(Condition::kUnsignedGreaterThanEqual, &not_ok);
3030+
3031+
// Check (object address+1) < LAB top.
3032+
ldr(scratch, MemOperand(kRootRegister,
3033+
IsolateData::new_allocation_info_top_offset()));
3034+
cmp(object, scratch);
30263035
b(Condition::kUnsignedLessThan, ok);
30273036
}
30283037

src/codegen/arm64/macro-assembler-arm64.cc

Lines changed: 20 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -3919,21 +3919,30 @@ void MacroAssembler::PreCheckSkippedWriteBarrier(Register object,
39193919

39203920
Label not_ok;
39213921

3922-
// Handle allocation folding: Allow write barrier removal if LAB start <=
3923-
// object < LAB top.
3922+
// Handle allocation folding, allow WB removal if:
3923+
// LAB start <= last_young_allocation_ < (object address+1) < LAB top
3924+
// Note that object has tag bit set, so object == object address+1.
3925+
39243926
{
39253927
UseScratchRegisterScope temps(this);
39263928
Register scratch1 = temps.AcquireX();
3927-
// Recompute object address here because scratch was clobbered by
3928-
// CheckPageFlag.
3929-
sub(scratch, object, kHeapObjectTag);
3930-
Ldr(scratch1, MemOperand(kRootRegister,
3931-
IsolateData::new_allocation_info_start_offset()));
3932-
cmp(scratch, scratch1);
3933-
B(Condition::kUnsignedLessThan, &not_ok);
3934-
Ldr(scratch1, MemOperand(kRootRegister,
3935-
IsolateData::new_allocation_info_top_offset()));
3929+
3930+
// Check LAB start <= last_young_allocation_.
3931+
ldr(scratch, MemOperand(kRootRegister,
3932+
IsolateData::new_allocation_info_start_offset()));
3933+
ldr(scratch1,
3934+
MemOperand(kRootRegister, IsolateData::last_young_allocation_offset()));
39363935
cmp(scratch, scratch1);
3936+
B(Condition::kUnsignedGreaterThan, &not_ok);
3937+
3938+
// Check last_young_allocation_ < (object address+1).
3939+
cmp(scratch1, object);
3940+
B(Condition::kUnsignedGreaterThanEqual, &not_ok);
3941+
3942+
// Check (object address+1) < LAB top.
3943+
ldr(scratch, MemOperand(kRootRegister,
3944+
IsolateData::new_allocation_info_top_offset()));
3945+
cmp(object, scratch);
39373946
B(Condition::kUnsignedLessThan, ok);
39383947
}
39393948

src/codegen/ia32/macro-assembler-ia32.cc

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2332,15 +2332,23 @@ void MacroAssembler::PreCheckSkippedWriteBarrier(Register object,
23322332

23332333
Label not_ok;
23342334

2335-
// Handle allocation folding: Allow write barrier removal if LAB start <=
2336-
// object < LAB top.
2337-
// Recompute object address here because scratch was clobbered by
2338-
// CheckPageFlag.
2339-
lea(scratch, Operand(object, -kHeapObjectTag));
2335+
// Handle allocation folding, allow WB removal if:
2336+
// LAB start <= last_young_allocation_ < (object address+1) < LAB top
2337+
// Note that object has tag bit set, so object == object address+1.
2338+
2339+
// Check LAB start <= last_young_allocation_.
2340+
mov(scratch,
2341+
Operand(kRootRegister, IsolateData::last_young_allocation_offset()));
23402342
cmp(scratch,
23412343
Operand(kRootRegister, IsolateData::new_allocation_info_start_offset()));
23422344
j(Condition::kUnsignedLessThan, &not_ok);
2343-
cmp(scratch,
2345+
2346+
// Check last_young_allocation_ < (object address+1).
2347+
cmp(scratch, object);
2348+
j(Condition::kUnsignedGreaterThanEqual, &not_ok);
2349+
2350+
// Check (object address+1) < LAB top.
2351+
cmp(object,
23442352
Operand(kRootRegister, IsolateData::new_allocation_info_top_offset()));
23452353
j(Condition::kUnsignedLessThan, ok);
23462354

src/codegen/x64/macro-assembler-x64.cc

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5072,15 +5072,23 @@ void MacroAssembler::PreCheckSkippedWriteBarrier(Register object,
50725072

50735073
Label not_ok;
50745074

5075-
// Handle allocation folding: Allow write barrier removal if LAB start <=
5076-
// object < LAB top.
5077-
// Recompute object address here because scratch was clobbered by
5078-
// CheckPageFlag.
5079-
leaq(scratch, Operand(object, -kHeapObjectTag));
5075+
// Handle allocation folding, allow WB removal if:
5076+
// LAB start <= last_young_allocation_ < (object address+1) < LAB top
5077+
// Note that object has tag bit set, so object == object address+1.
5078+
5079+
// Check LAB start <= last_young_allocation_.
5080+
movq(scratch,
5081+
Operand(kRootRegister, IsolateData::last_young_allocation_offset()));
50805082
cmpq(scratch,
50815083
Operand(kRootRegister, IsolateData::new_allocation_info_start_offset()));
50825084
j(Condition::kUnsignedLessThan, &not_ok);
5083-
cmpq(scratch,
5085+
5086+
// Check last_young_allocation_ < (object address+1).
5087+
cmpq(scratch, object);
5088+
j(Condition::kUnsignedGreaterThanEqual, &not_ok);
5089+
5090+
// Check (object address+1) < LAB top.
5091+
cmpq(object,
50845092
Operand(kRootRegister, IsolateData::new_allocation_info_top_offset()));
50855093
j(Condition::kUnsignedLessThan, ok);
50865094

0 commit comments

Comments
 (0)