[heap] Fix age check for scavenged objects [v8/v8 : main]
0 views
Skip to first unread message
Omer Katz (Gerrit)
Sep 26, 2025, 6:57:11 AM (yesterday) Sep 26
to Dominik Inführ, V8 LUCI CQ, Hannes Payer, mlippau...@chromium.org, v8-re...@googlegroups.com
Attention needed from Dominik Inführ
Omer Katz added 1 comment![]( "Open in Gerrit")
Patchset-level comments
Related details
Attention is currently required from:
- Dominik Inführ
Submit Requirements:
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Dominik Inführ (Gerrit)
Sep 26, 2025, 8:08:39 AM (yesterday) Sep 26
to Omer Katz, V8 LUCI CQ, Hannes Payer, mlippau...@chromium.org, v8-re...@googlegroups.com
Attention needed from Omer Katz
Dominik Inführ voted and added 2 comments![]( "Open in Gerrit")
Votes added by Dominik Inführ
| Code-Review | +1 |
2 comments
Patchset-level comments
Dominik Inführ . resolved
Good catch! LGTM
File src/heap/scavenger.cc
Line 1092, Patchset 1 (Latest):
return !HeapLayout::InYoungGeneration(object) ||Dominik Inführ . unresolved
Nit: We could split this condition up a bit, now that we have this in its own function. Something like:
```
if (!InYoungGeneration(object)) return true;
...
```
Related details
Attention is currently required from:
- Omer Katz
Submit Requirements:
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Omer Katz (Gerrit)
Sep 26, 2025, 8:15:37 AM (yesterday) Sep 26
to Dominik Inführ, V8 LUCI CQ, Hannes Payer, mlippau...@chromium.org, v8-re...@googlegroups.com
Omer Katz voted and added 1 comment![]( "Open in Gerrit")
Votes added by Omer Katz
| Commit-Queue | +2 |
1 comment
File src/heap/scavenger.cc
Nit: We could split this condition up a bit, now that we have this in its own function. Something like:
```
if (!InYoungGeneration(object)) return true;
...
```
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
V8 LUCI CQ (Gerrit)
Sep 26, 2025, 8:46:23 AM (yesterday) Sep 26
to Omer Katz, Dominik Inführ, Hannes Payer, mlippau...@chromium.org, v8-re...@googlegroups.com
V8 LUCI CQ submitted the change with unreviewed changes![]( "Open in Gerrit")
Unreviewed changes
1 is the latest approved patch-set.
The change was submitted with unreviewed changes in the following files:
```
The name of the file: src/heap/scavenger.cc
Insertions: 12, Deletions: 5.
@@ -1089,11 +1089,18 @@
namespace {
bool HeapObjectWillBeOld(const Heap* heap, Tagged<HeapObject> object) {
- return !HeapLayout::InYoungGeneration(object) ||
- HeapLayout::InAnyLargeSpace(object) ||
- (HeapLayout::IsSelfForwarded(object) &&
- MemoryChunkMetadata::FromHeapObject(heap->isolate(), object)
- ->will_be_promoted());
+ if (!HeapLayout::InYoungGeneration(object)) {
+ return true;
+ }
+ if (HeapLayout::InAnyLargeSpace(object)) {
+ return true;
+ }
+ if (HeapLayout::IsSelfForwarded(object) &&
+ MemoryChunkMetadata::FromHeapObject(heap->isolate(), object)
+ ->will_be_promoted()) {
+ return true;
+ }
+ return false;
}
} // namespace
```
Change information
Commit message:
[heap] Fix age check for scavenged objects
The check was only looking at `HeapLayout::InYoungGeneration` and
ignored large pages and pinned promoted pages. As a result, it was
possible to miss a old-to-new slot, which could lead to a memory
corruption.
Bug: 447457117
Change-Id: I4a0e1e4077b443f0a293a9fbecd58072a3a3be69
Reviewed-by: Dominik Inführ <dinf...@chromium.org>
Commit-Queue: Omer Katz <omer...@chromium.org>
Cr-Commit-Position: refs/heads/main@{#102794}
Files:
- M src/heap/scavenger.cc
Change size: S
Delta: 1 file changed, 26 insertions(+), 12 deletions(-)
Branch: refs/heads/main
Submit Requirements:
Code-Review: +1 by Dominik Inführ
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages