[compiler] Ensure old SFIs stay alive for merging

LeszekSwirski · V8 LUCI CQ · commit b2b082c8bad8 · 2024-08-14T13:15:30.000Z
When merging two scripts, we decide whether to use new or old SFIs in one pass over the script info list, and patch old SFIs (in bytecode constant pools) with new ones in another pass. If there is a GC that clears some of the weak script info list pointers between these two passes, then various assumptions break, leading to SFIs in the published result pointing at the wrong script. Make sure that any old SFIs that were encountered in the first pass stay alive for the second pass. Bug: 355575275 Change-Id: I3589bc5169c8a17b32347a1b372773c9f54c6e12 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5786964 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#95631}
diff --git a/src/codegen/background-merge-task.h b/src/codegen/background-merge-task.h
@@ -56,6 +56,8 @@ class V8_EXPORT_PRIVATE BackgroundMergeTask {
     return state_ == kPendingForegroundWork;
   }
 
+  static void ForceGCDuringNextMergeForTesting();
+
  private:
   std::unique_ptr<PersistentHandles> persistent_handles_;
 
diff --git a/src/codegen/compiler.cc b/src/codegen/compiler.cc
@@ -2257,6 +2257,12 @@ void BackgroundMergeTask::SetUpOnMainThread(
   cached_script_ = persistent_handles_->NewHandle(*cached_script);
 }
 
+static bool force_gc_during_next_merge_for_testing_ = false;
+
+void BackgroundMergeTask::ForceGCDuringNextMergeForTesting() {
+  force_gc_during_next_merge_for_testing_ = true;
+}
+
 void BackgroundMergeTask::BeginMergeInBackground(
     LocalIsolate* isolate, DirectHandle<Script> new_script) {
   DCHECK_EQ(state_, kPendingBackgroundWork);
@@ -2298,20 +2304,22 @@ void BackgroundMergeTask::BeginMergeInBackground(
         // this function literal.
         Tagged<SharedFunctionInfo> old_sfi =
             Cast<SharedFunctionInfo>(maybe_old_info.GetHeapObjectAssumeWeak());
+        // Make sure to allocate a persistent handle to the old sfi whether or
+        // not it or the new sfi have bytecode -- this is necessary to keep the
+        // old sfi reference in the old script list alive, so that pointers to
+        // the new sfi are redirected to the old sfi.
+        Handle<SharedFunctionInfo> old_sfi_handle =
+            local_heap->NewPersistentHandle(old_sfi);
         if (old_sfi->HasBytecodeArray()) {
           // Reset the old SFI's bytecode age so that it won't likely get
           // flushed right away. This operation might be racing against
           // concurrent modification by another thread, but such a race is not
           // catastrophic.
           old_sfi->set_age(0);
-          // Make sure we'll keep the old sfi alive so it'll be installed in the
-          // new bytecode by the forwarder.
-          local_heap->NewPersistentHandle(old_sfi);
         } else if (new_sfi->HasBytecodeArray()) {
           // Also push the old_sfi to make sure it stays alive / isn't replaced.
           new_compiled_data_for_cached_sfis_.push_back(
-              {local_heap->NewPersistentHandle(old_sfi),
-               local_heap->NewPersistentHandle(new_sfi)});
+              {old_sfi_handle, local_heap->NewPersistentHandle(new_sfi)});
           // Pick up existing scope infos from the old sfi. The new sfi will be
           // copied over the old sfi later. This will ensure that we'll keep
           // using the old sfis. This will also allow us check later whether new
@@ -2348,6 +2356,17 @@ void BackgroundMergeTask::BeginMergeInBackground(
     }
   }
 
+  // Since we are walking the script infos weak list both when figuring out
+  // which SFIs to merge above, and actually merging them below, make sure that
+  // a GC here which clears any dead weak refs or flushes any bytecode doesn't
+  // break anything.
+  if (V8_UNLIKELY(force_gc_during_next_merge_for_testing_)) {
+    // This GC is only synchronous on the main thread at the moment.
+    DCHECK(isolate->is_main_thread());
+    local_heap->AsHeap()->CollectAllAvailableGarbage(
+        GarbageCollectionReason::kTesting);
+  }
+
   if (forwarder.HasAnythingToForward()) {
     for (DirectHandle<SharedFunctionInfo> new_sfi : used_new_sfis_) {
       forwarder.UpdateScopeInfo(*new_sfi);
diff --git a/src/codegen/compiler.h b/src/codegen/compiler.h
@@ -649,7 +649,7 @@ class V8_EXPORT_PRIVATE BackgroundCompileTask {
 
 // Contains all data which needs to be transmitted between threads for
 // background parsing and compiling and finalizing it on the main thread.
-struct ScriptStreamingData {
+struct V8_EXPORT_PRIVATE ScriptStreamingData {
   ScriptStreamingData(
       std::unique_ptr<ScriptCompiler::ExternalSourceStream> source_stream,
       ScriptCompiler::StreamedSource::Encoding encoding);
diff --git a/src/heap/factory.cc b/src/heap/factory.cc
@@ -2607,6 +2607,12 @@ Handle<FixedArray> Factory::CopyFixedArrayAndGrow(
   return CopyArrayAndGrow(array, grow_by, allocation);
 }
 
+Handle<WeakFixedArray> Factory::CopyWeakFixedArray(
+    DirectHandle<WeakFixedArray> src) {
+  DCHECK(!IsTransitionArray(*src));  // Compacted by GC, this code doesn't work
+  return CopyArrayWithMap(src, weak_fixed_array_map(), AllocationType::kOld);
+}
+
 Handle<WeakFixedArray> Factory::CopyWeakFixedArrayAndGrow(
     DirectHandle<WeakFixedArray> src, int grow_by) {
   DCHECK(!IsTransitionArray(*src));  // Compacted by GC, this code doesn't work
diff --git a/src/heap/factory.h b/src/heap/factory.h
@@ -572,6 +572,8 @@ class V8_EXPORT_PRIVATE Factory : public FactoryBase<Factory> {
   Handle<WeakArrayList> NewWeakArrayList(
       int capacity, AllocationType allocation = AllocationType::kYoung);
 
+  Handle<WeakFixedArray> CopyWeakFixedArray(DirectHandle<WeakFixedArray> array);
+
   Handle<WeakFixedArray> CopyWeakFixedArrayAndGrow(
       DirectHandle<WeakFixedArray> array, int grow_by);
 
diff --git a/test/unittests/compiler/compiler-unittest.cc b/test/unittests/compiler/compiler-unittest.cc
@@ -20,6 +20,7 @@
 #include "src/objects/allocation-site-inl.h"
 #include "src/objects/objects-inl.h"
 #include "src/objects/shared-function-info.h"
+#include "test/unittests/heap/heap-utils.h"  // For ManualGCScope.
 #include "test/unittests/test-utils.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
@@ -935,5 +936,211 @@ TEST_F(CompilerTest, ProfilerEnabledDuringBackgroundCompile) {
   cpu_profiler->StopProfiling(profile);
 }
 
+using BackgroundMergeTest = TestWithNativeContext;
+
+// Tests that a GC during merge doesn't break the merge.
+TEST_F(BackgroundMergeTest, GCDuringMerge) {
+  v8_flags.verify_code_merge = true;
+
+  HandleScope scope(isolate());
+  const char* source =
+      // f is compiled eagerly thanks to the IIFE hack.
+      "f = (function f(x) {"
+      "  let b = x;"
+      // f is compiled eagerly, so g's SFI exists. But, it is not compiled.
+      "  return function g() {"
+      // g isn't compiled, so h's SFI does not exist.
+      "    return function h() {"
+      "      return b;"
+      "    }"
+      "  }"
+      "})";
+  Handle<String> source_string =
+      isolate()
+          ->factory()
+          ->NewStringFromUtf8(base::CStrVector(source))
+          .ToHandleChecked();
+
+  const int kTopLevelId = 0;
+  const int kFId = 1;
+  const int kGId = 2;
+  const int kHId = 3;
+
+  // Compile the script once to warm up the compilation cache.
+  Handle<JSFunction> old_g;
+  IsCompiledScope old_g_bytecode_keepalive;
+  {
+    // Compile in a new handle scope, so that the script can die while the inner
+    // functions stay alive.
+    HandleScope scope(isolate());
+    ScriptCompiler::CompilationDetails compilation_details;
+    Handle<SharedFunctionInfo> top_level_sfi =
+        Compiler::GetSharedFunctionInfoForScript(
+            isolate(), source_string, ScriptDetails(),
+            v8::ScriptCompiler::kNoCompileOptions,
+            ScriptCompiler::kNoCacheNoReason, NOT_NATIVES_CODE,
+            &compilation_details)
+            .ToHandleChecked();
+
+    {
+      Tagged<Script> script = Cast<Script>(top_level_sfi->script());
+      CHECK(!script->infos()->get(kTopLevelId).IsCleared());
+      CHECK(!script->infos()->get(kFId).IsCleared());
+      CHECK(!script->infos()->get(kGId).IsCleared());
+      // h in the script infos list was never initialized by the compilation, so
+      // it's the default value for a WeakFixedArray, which is `undefined`.
+      CHECK(Is<Undefined>(script->infos()->get(kHId)));
+    }
+
+    Handle<JSFunction> top_level =
+        Factory::JSFunctionBuilder{isolate(), top_level_sfi,
+                                   isolate()->native_context()}
+            .Build();
+
+    Handle<JSObject> global(isolate()->context()->global_object(), isolate());
+    Execution::CallScript(isolate(), top_level, global,
+                          isolate()->factory()->empty_fixed_array())
+        .Check();
+
+    Handle<JSFunction> f = Cast<JSFunction>(
+        JSObject::GetProperty(isolate(), global, "f").ToHandleChecked());
+
+    CHECK(f->is_compiled(isolate()));
+
+    // Execute f to get g's SFI (no g bytecode yet)
+    Handle<JSFunction> g = Cast<JSFunction>(
+        Execution::Call(isolate(), f, global, 0, nullptr).ToHandleChecked());
+    CHECK(!g->is_compiled(isolate()));
+
+    // Execute g's SFI to initialize g's bytecode, and to get h.
+    Handle<JSFunction> h = Cast<JSFunction>(
+        Execution::Call(isolate(), g, global, 0, nullptr).ToHandleChecked());
+    CHECK(g->is_compiled(isolate()));
+    CHECK(!h->is_compiled(isolate()));
+
+    CHECK_EQ(top_level->shared()->function_literal_id(), kTopLevelId);
+    CHECK_EQ(f->shared()->function_literal_id(), kFId);
+    CHECK_EQ(g->shared()->function_literal_id(), kGId);
+    CHECK_EQ(h->shared()->function_literal_id(), kHId);
+
+    // Age everything so that subsequent GCs can pick it up if possible.
+    SharedFunctionInfo::EnsureOldForTesting(top_level->shared());
+    SharedFunctionInfo::EnsureOldForTesting(f->shared());
+    SharedFunctionInfo::EnsureOldForTesting(g->shared());
+    SharedFunctionInfo::EnsureOldForTesting(h->shared());
+    old_g = scope.CloseAndEscape(g);
+  }
+  Handle<Script> old_script(Cast<Script>(old_g->shared()->script()), isolate());
+
+  // Make sure bytecode is cleared...
+  for (int i = 0; i < 3; ++i) {
+    InvokeMajorGC();
+  }
+  CHECK(!old_g->is_compiled(isolate()));
+
+  // The top-level script should now be dead.
+  CHECK(old_script->infos()->get(kTopLevelId).IsCleared());
+  // f should still be alive by global reference.
+  CHECK(!old_script->infos()->get(kFId).IsCleared());
+  // g should be kept alive by our old_g handle.
+  CHECK(!old_script->infos()->get(kGId).IsCleared());
+  // h should be dead since g's bytecode was flushed.
+  CHECK(old_script->infos()->get(kHId).IsCleared());
+
+  // Copy the old_script_infos WeakFixedArray, so that we can inspect it after
+  // the merge mutated the original.
+  Handle<WeakFixedArray> unmutated_old_script_list =
+      isolate()->factory()->CopyWeakFixedArray(
+          direct_handle(old_script->infos(), isolate()));
+
+  {
+    HandleScope scope(isolate());
+    ScriptStreamingData streamed_source(
+        std::make_unique<DummySourceStream>(source),
+        v8::ScriptCompiler::StreamedSource::UTF8);
+    ScriptCompiler::CompilationDetails details;
+    streamed_source.task = std::make_unique<i::BackgroundCompileTask>(
+        &streamed_source, isolate(), ScriptType::kClassic,
+        ScriptCompiler::CompileOptions::kNoCompileOptions, &details);
+
+    streamed_source.task->RunOnMainThread(isolate());
+
+    Handle<SharedFunctionInfo> top_level_sfi;
+    {
+      // Use a manual GC scope, because we want to test a GC in a very precise
+      // spot in the merge.
+      ManualGCScope manual_gc(isolate());
+      // There's one more reference to the old_g -- clear it so that nothing is
+      // keeping it alive
+      CHECK(!old_script->infos()->get(kGId).IsCleared());
+      CHECK(!unmutated_old_script_list->get(kGId).IsCleared());
+      old_g.PatchValue({});
+      CHECK(!old_script->infos()->get(kFId).IsCleared());
+
+      BackgroundMergeTask::ForceGCDuringNextMergeForTesting();
+
+      top_level_sfi = streamed_source.task
+                          ->FinalizeScript(isolate(), source_string,
+                                           ScriptDetails(), old_script)
+                          .ToHandleChecked();
+      CHECK(!old_script->infos()->get(kFId).IsCleared());
+    }
+
+    CHECK_EQ(top_level_sfi->script(), *old_script);
+
+    Handle<JSFunction> top_level =
+        Factory::JSFunctionBuilder{isolate(), top_level_sfi,
+                                   isolate()->native_context()}
+            .Build();
+
+    Handle<JSObject> global(isolate()->context()->global_object(), isolate());
+
+    Handle<JSFunction> f = Cast<JSFunction>(
+        JSObject::GetProperty(isolate(), global, "f").ToHandleChecked());
+
+    // f should normally be compiled (with the old shared function info but the
+    // new bytecode). However, the extra GCs in finalization might cause it to
+    // be flushed, so we can't guarantee this check.
+    // CHECK(f->is_compiled(isolate()));
+
+    // Execute f to get g's SFI (no g bytecode yet)
+    Handle<JSFunction> g = Cast<JSFunction>(
+        Execution::Call(isolate(), f, global, 0, nullptr).ToHandleChecked());
+    CHECK(!g->is_compiled(isolate()));
+
+    // Execute g's SFI to initialize g's bytecode, and to get h.
+    Handle<JSFunction> h = Cast<JSFunction>(
+        Execution::Call(isolate(), g, global, 0, nullptr).ToHandleChecked());
+    CHECK(g->is_compiled(isolate()));
+    CHECK(!h->is_compiled(isolate()));
+
+    CHECK_EQ(top_level->shared()->function_literal_id(), kTopLevelId);
+    CHECK_EQ(f->shared()->function_literal_id(), kFId);
+    CHECK_EQ(g->shared()->function_literal_id(), kGId);
+    CHECK_EQ(h->shared()->function_literal_id(), kHId);
+
+    CHECK_EQ(top_level->shared()->script(), *old_script);
+    CHECK_EQ(f->shared()->script(), *old_script);
+    CHECK_EQ(g->shared()->script(), *old_script);
+    CHECK_EQ(h->shared()->script(), *old_script);
+
+    CHECK_EQ(MakeWeak(top_level->shared()),
+             old_script->infos()->get(kTopLevelId));
+    CHECK_EQ(MakeWeak(f->shared()), old_script->infos()->get(kFId));
+    CHECK_EQ(MakeWeak(g->shared()), old_script->infos()->get(kGId));
+    CHECK_EQ(MakeWeak(h->shared()), old_script->infos()->get(kHId));
+
+    // The old top-level died, so we have a new one.
+    CHECK_NE(MakeWeak(top_level->shared()),
+             unmutated_old_script_list->get(kTopLevelId));
+    // The old f was still alive, so it's the same.
+    CHECK_EQ(MakeWeak(f->shared()), unmutated_old_script_list->get(kFId));
+    // The old g was still alive, so it's the same.
+    CHECK_EQ(MakeWeak(g->shared()), unmutated_old_script_list->get(kGId));
+    // The old h died, so it's different.
+    CHECK_NE(MakeWeak(h->shared()), unmutated_old_script_list->get(kHId));
+  }
+}
+
 }  // namespace internal
 }  // namespace v8

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,8 @@ class V8_EXPORT_PRIVATE BackgroundMergeTask {`
`56`	`56`	`return state_ == kPendingForegroundWork;`
`57`	`57`	`}`
`58`	`58`
	`59`	`+ static void ForceGCDuringNextMergeForTesting();`
	`60`	`+`
`59`	`61`	`private:`
`60`	`62`	`std::unique_ptr<PersistentHandles> persistent_handles_;`
`61`	`63`