From fe9d00c9582076b468dcef552da68eec6a05ccab Mon Sep 17 00:00:00 2001 From: thomasmichaelwallace Date: Mon, 28 Jun 2021 20:53:38 +0000 Subject: [PATCH] deps: V8: cherry-pick 81181a8ad80a MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original commit message: [JSON] Fix GC issue in BuildJsonObject We must ensure that the sweeper is not running or has already swept mutable_double_buffer. Otherwise the GC can add it to the free list. Bug: v8:11837 Change-Id: Ifd9cf15f1c94f664fd6489c70bb38b59730cdd78 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2928181 Commit-Queue: Victor Gomes Reviewed-by: Toon Verwaest Reviewed-by: Dominik Inführ Cr-Commit-Position: refs/heads/master@{#74859} Refs: v8/v8@81181a8 PR-URL: https://github.com/nodejs/node/pull/39187 Fixes: https://github.com/nodejs/node/issues/37553 Refs: https://github.com/v8/v8/commit/81181a8 Reviewed-By: Michaël Zasso Reviewed-By: Richard Lau Reviewed-By: Gireesh Punathil Reviewed-By: Matteo Collina --- common.gypi | 2 +- deps/v8/src/heap/heap.cc | 4 ++++ deps/v8/src/heap/heap.h | 2 ++ deps/v8/src/json/json-parser.cc | 5 +++++ 4 files changed, 12 insertions(+), 1 deletion(-) diff --git a/common.gypi b/common.gypi index 8b81a0a39dd09d..bb27df43d5cb7c 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.72', + 'v8_embedder_string': '-node.73', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/heap/heap.cc b/deps/v8/src/heap/heap.cc index 5d5eaae0683b74..62033444ed0427 100644 --- a/deps/v8/src/heap/heap.cc +++ b/deps/v8/src/heap/heap.cc @@ -3347,6 +3347,10 @@ void Heap::MakeHeapIterable() { mark_compact_collector()->EnsureSweepingCompleted(); } +void Heap::EnsureSweepingCompleted() { + mark_compact_collector()->EnsureSweepingCompleted(); +} + namespace { double ComputeMutatorUtilizationImpl(double mutator_speed, double gc_speed) { diff --git a/deps/v8/src/heap/heap.h b/deps/v8/src/heap/heap.h index b2105a96badc2f..4ca8c3b201fb03 100644 --- a/deps/v8/src/heap/heap.h +++ b/deps/v8/src/heap/heap.h @@ -1001,6 +1001,8 @@ class Heap { Reservation* reservations, const std::vector& large_objects, const std::vector
& maps); + void EnsureSweepingCompleted(); + IncrementalMarking* incremental_marking() { return incremental_marking_.get(); } diff --git a/deps/v8/src/json/json-parser.cc b/deps/v8/src/json/json-parser.cc index da2f60d3209b4a..2ac4e727e0bdb3 100644 --- a/deps/v8/src/json/json-parser.cc +++ b/deps/v8/src/json/json-parser.cc @@ -633,6 +633,11 @@ Handle JsonParser::BuildJsonObject( DCHECK_EQ(mutable_double_address, end); } #endif + // Before setting the length of mutable_double_buffer back to zero, we + // must ensure that the sweeper is not running or has already swept the + // object's page. Otherwise the GC can add the contents of + // mutable_double_buffer to the free list. + isolate()->heap()->EnsureSweepingCompleted(); mutable_double_buffer->set_length(0); } }