Prototype map mutation breaks concurrent marker. |
||
Issue descriptionWe currently have an optimization that transfers descriptor array (and layout descriptor) from the old prototype map to the new prototype map and clears the descriptor array of the old map: https://cs.chromium.org/chromium/src/v8/src/objects.cc?rcl=16721dfd13e39b884a90d0d74a02d87f84d65359&l=4183 This relies on the invariant that there is one-to-one correspondence between the prototype object and its map. So the old map will not be used again. This optimization is valid in sequential setting. With concurrent marker, however, the invariant breaks because the concurrent marker might be using the old map to iterate the object while the old map is being mutated. I tried to copy descriptor arrays, but that caused many regressions on perf bots and was reverted: https://chromium-review.googlesource.com/555551 The long term fix is to keep the prototype objects in dictionary mode (according to Igor). I am looking for short term fix since this is the only issue currently that is blocking concurrent marking.
,
Aug 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d09f9c424fbc0c5679fd7c370c70c8915b29d987 commit d09f9c424fbc0c5679fd7c370c70c8915b29d987 Author: Ulan Degenbaev <ulan@chromium.org> Date: Thu Aug 10 08:56:49 2017 [runtime] Do not clear prototype map descriptors. Mutating the descriptor array and the layout descriptor of a map races with the concurrent marking. This patch simply transfers ownership of the descriptor array without mutating the map. Since the old map is not going to be used anymore and there are not transitions from the old map, this should be safe for trimming the descriptor arrays during GC. This patch also adds checks in IC code avoid caching of dummy transitions from the abandoned prototype map. Bug: chromium:752461 Change-Id: I7b44ba7c369199bdb3ff48235226fe504c7eb4a5 Reviewed-on: https://chromium-review.googlesource.com/602210 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Cr-Commit-Position: refs/heads/master@{#47275} [modify] https://crrev.com/d09f9c424fbc0c5679fd7c370c70c8915b29d987/src/heap/mark-compact.cc [modify] https://crrev.com/d09f9c424fbc0c5679fd7c370c70c8915b29d987/src/ic/ic.cc [modify] https://crrev.com/d09f9c424fbc0c5679fd7c370c70c8915b29d987/src/objects-inl.h [modify] https://crrev.com/d09f9c424fbc0c5679fd7c370c70c8915b29d987/src/objects.cc [modify] https://crrev.com/d09f9c424fbc0c5679fd7c370c70c8915b29d987/src/objects/map.h
,
Aug 10 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/17f7efee49da8f3549b1648e9e18110515304c83 commit 17f7efee49da8f3549b1648e9e18110515304c83 Author: Ulan Degenbaev <ulan@chromium.org> Date: Thu Aug 10 17:23:03 2017 [heap] Add missing atomicity parameter in NotifyLeftTrimming. Bug: chromium:752461 Change-Id: Ie70a4ed1314e040d0edecece6a1dca7b1fc8d001 Reviewed-on: https://chromium-review.googlesource.com/610083 Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#47287} [modify] https://crrev.com/17f7efee49da8f3549b1648e9e18110515304c83/src/heap/incremental-marking.cc
,
Aug 10 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by u...@chromium.org
, Aug 4 2017