New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 781728 link

Starred by 1 user
Status: Fixed
Owner:
mlippautz@chromium.org
Closed: Nov 2017
Cc:
hpayer@chromium.org
haraken@chromium.org
u...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 2
Type: Bug

Blocking:
issue 780749



Sign in to add a comment

Finalizer should keep phantom handles alive on Scavenge

Project Member Reported by mlippautz@chromium.org, Nov 6 2017 
Similar to issue 772299, the finalizers for weak handles should keep phantom handles alive on Scavenge.

This is currently a bug on ToT that can yield to stale pointers from V8 wrappers to Blink wrappables (2 internal fields).

Crashes either occur on (a) calls to wrappables, (b) wrapper tracing. (b) is way more likely though.
Project Member

Comment 1 by bugdroid1@chromium.org, Nov 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/da5a8e3dd24448c1a4132751daef14d9fdeb2f33

commit da5a8e3dd24448c1a4132751daef14d9fdeb2f33
Author: Michael Lippautz <mlippautz@chromium.org>
Date: Mon Nov 06 22:25:14 2017

[heap] Introduce separate pass for reseting phantom handles on Scavenge

Resetting phantom handles while keeping finalizers alive leads to the
problem of eagerly resetting a handle although another finalizer keeps
it (transitively) alive.

This becomes a problem with internal pointers to Blink as without
global handle a Blink GC is free to collect wrappables.

This CL untangles finalizers handling from phantom handle resets by
introducing a separate path for resetting.

CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel;master.tryserver.chromium.linux:linux_optional_gpu_tests_rel;master.tryserver.chromium.mac:mac_optional_gpu_tests_rel;master.tryserver.chromium.win:win_optional_gpu_tests_rel;master.tryserver.chromium.android:android_optional_gpu_tests_rel

Bug:  chromium:781728 
Change-Id: Ica138b72942698fd996c6e9fe0bdc19cc432c010
Reviewed-on: https://chromium-review.googlesource.com/753724
Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
Reviewed-by: Ulan Degenbaev <ulan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#49162}
[modify] https://crrev.com/da5a8e3dd24448c1a4132751daef14d9fdeb2f33/src/global-handles.cc
[modify] https://crrev.com/da5a8e3dd24448c1a4132751daef14d9fdeb2f33/src/global-handles.h
[modify] https://crrev.com/da5a8e3dd24448c1a4132751daef14d9fdeb2f33/src/heap/heap.cc
[modify] https://crrev.com/da5a8e3dd24448c1a4132751daef14d9fdeb2f33/src/heap/mark-compact.cc
[modify] https://crrev.com/da5a8e3dd24448c1a4132751daef14d9fdeb2f33/test/cctest/test-global-handles.cc

Comment 2 by mlippautz@chromium.org, Nov 7 2017

Status: Fixed (was: Started)

Sign in to add a comment