[Backport] Security bug 1211215

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/v8/v8/+/2940899: Merged: Squashed multiple commits. Merged: Disable left-trimming when optimizing compile jobs exist Revision: ac0605a1a486b8d074f116cc365de9d2b6d7c9e5 Merged: [heap] Don't assume that optimizing-compile-dispatcher exists Revision: 022b312d55e75935cfa99cca7729ae2d3f795bd0 BUG=chromium:1211215,chromium:1215514 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true [email protected] Change-Id: I3b3a37d64402ea464c8e653517928522a1c5e0da Reviewed-by: Dominik Inführ <[email protected]> Commit-Queue: Georg Neis <[email protected]> Cr-Commit-Position: refs/branch-heads/9.1@{#67} Cr-Branched-From: 0e4ac64a8cf298b14034a22f9fe7b085d2cb238d-refs/heads/9.1.269@{#1} Cr-Branched-From: f565e72d5ba88daae35a59d0f978643e2343e912-refs/heads/master@{#73847} Reviewed-by: Michal Klocek <[email protected]>
qt · Aug 2, 2021 · 82dbe6e · 82dbe6e
1 parent 63aa707
commit 82dbe6e
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 8 deletions.
diff --git a/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc b/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.cc
@@ -47,7 +47,6 @@ class OptimizingCompileDispatcher::CompileTask : public CancelableTask {
         worker_thread_runtime_call_stats_(
             isolate->counters()->worker_thread_runtime_call_stats()),
         dispatcher_(dispatcher) {
-    base::MutexGuard lock_guard(&dispatcher_->ref_count_mutex_);
     ++dispatcher_->ref_count_;
   }
 
@@ -95,12 +94,7 @@ class OptimizingCompileDispatcher::CompileTask : public CancelableTask {
 };
 
 OptimizingCompileDispatcher::~OptimizingCompileDispatcher() {
-#ifdef DEBUG
-  {
-    base::MutexGuard lock_guard(&ref_count_mutex_);
-    DCHECK_EQ(0, ref_count_);
-  }
-#endif
+  DCHECK_EQ(0, ref_count_);
   DCHECK_EQ(0, input_queue_length_);
   DeleteArray(input_queue_);
 }
@@ -227,6 +221,14 @@ void OptimizingCompileDispatcher::InstallOptimizedFunctions() {
   }
 }
 
+bool OptimizingCompileDispatcher::HasJobs() {
+  DCHECK_EQ(ThreadId::Current(), isolate_->thread_id());
+  // Note: This relies on {output_queue_} being mutated by a background thread
+  // only when {ref_count_} is not zero. Also, {ref_count_} is never incremented
+  // by a background thread.
+  return !(ref_count_ == 0 && output_queue_.empty());
+}
+
 void OptimizingCompileDispatcher::QueueForOptimization(
     OptimizedCompilationJob* job) {
   DCHECK(IsQueueAvailable());

diff --git a/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.h b/chromium/v8/src/compiler-dispatcher/optimizing-compile-dispatcher.h
@@ -52,6 +52,9 @@ class V8_EXPORT_PRIVATE OptimizingCompileDispatcher {
 
   static bool Enabled() { return FLAG_concurrent_recompilation; }
 
+  // This method must be called on the main thread.
+  bool HasJobs();
+
  private:
   class CompileTask;
 
@@ -87,7 +90,7 @@ class V8_EXPORT_PRIVATE OptimizingCompileDispatcher {
 
   int blocked_jobs_;
 
-  int ref_count_;
+  std::atomic<int> ref_count_;
   base::Mutex ref_count_mutex_;
   base::ConditionVariable ref_count_zero_;
 

diff --git a/chromium/v8/src/heap/heap.cc b/chromium/v8/src/heap/heap.cc
@@ -22,6 +22,7 @@
 #include "src/codegen/compilation-cache.h"
 #include "src/common/assert-scope.h"
 #include "src/common/globals.h"
+#include "src/compiler-dispatcher/optimizing-compile-dispatcher.h"
 #include "src/debug/debug.h"
 #include "src/deoptimizer/deoptimizer.h"
 #include "src/execution/isolate-utils-inl.h"
@@ -3036,6 +3037,12 @@ bool Heap::CanMoveObjectStart(HeapObject object) {
 
   if (IsLargeObject(object)) return false;
 
+  // Compilation jobs may have references to the object.
+  if (isolate()->concurrent_recompilation_enabled() &&
+      isolate()->optimizing_compile_dispatcher()->HasJobs()) {
+    return false;
+  }
+
   // We can move the object start if the page was already swept.
   return Page::FromHeapObject(object)->SweepingDone();
 }