Hold the CrossThreadPersistentMutex across heap poisoning.

Since cross-thread persistents may be included in the poisoning, but must not be observed by another thread to be poisoned, the mutex must be held to prevent them noticing before they are unpoisoned again. The alternative which would narrow the critical section might be to store away a copy of the cross-thread persistents and not poison them at all, but this is consistent with the previous approach and thus seems less risky. Bug: 857311 Change-Id: Ib0ddee582c6ceea98cce0c0b3844fb363aa3c5be Reviewed-on: https://chromium-review.googlesource.com/1118286Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#571145}

Hold the CrossThreadPersistentMutex across heap poisoning.
Since cross-thread persistents may be included in the poisoning, but must not be observed by another thread to be poisoned, the mutex must be held to prevent them noticing before they are unpoisoned again. The alternative which would narrow the critical section might be to store away a copy of the cross-thread persistents and not poison them at all, but this is consistent with the previous approach and thus seems less risky. Bug: 857311 Change-Id: Ib0ddee582c6ceea98cce0c0b3844fb363aa3c5be Reviewed-on: https://chromium-review.googlesource.com/1118286Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Jeremy Roman <jbroman@chromium.org> Cr-Commit-Position: refs/heads/master@{#571145}
54b819e7 · Jeremy Roman · Commit Bot · c1fe3ed2 · 54b819e7 · 54b819e7
Commit 54b819e7 authored Jun 28, 2018 by Jeremy Roman Committed by Commit Bot Jun 28, 2018
2 changed files
--- a/third_party/blink/renderer/platform/heap/heap.cc
+++ b/third_party/blink/renderer/platform/heap/heap.cc
@@ -459,6 +459,10 @@ void ThreadHeap::PromptlyFreed(size_t gc_info_index) {

 #if defined(ADDRESS_SANITIZER)
 void ThreadHeap::PoisonAllHeaps() {
+  // This lock must be held because other threads may access cross-thread
+  // persistents and should not observe them in a poisoned state.
+  MutexLocker lock(ProcessHeap::CrossThreadPersistentMutex());
+
  // Poisoning all unmarked objects in the other arenas.
  for (int i = 1; i < BlinkGC::kNumberOfArenas; i++)
    arenas_[i]->PoisonArena();
@@ -470,6 +474,10 @@ void ThreadHeap::PoisonAllHeaps() {
 }

 void ThreadHeap::PoisonEagerArena() {
+  // This lock must be held because other threads may access cross-thread
+  // persistents and should not observe them in a poisoned state.
+  MutexLocker lock(ProcessHeap::CrossThreadPersistentMutex());
+
  arenas_[BlinkGC::kEagerSweepArenaIndex]->PoisonArena();
  // CrossThreadPersistents in unmarked objects may be accessed from other
  // threads (e.g. in CrossThreadPersistentRegion::shouldTracePersistent) and

--- a/third_party/blink/renderer/platform/heap/persistent_node.cc
+++ b/third_party/blink/renderer/platform/heap/persistent_node.cc
@@ -197,7 +197,9 @@ void CrossThreadPersistentRegion::PrepareForThreadStateTermination(

 #if defined(ADDRESS_SANITIZER)
 void CrossThreadPersistentRegion::UnpoisonCrossThreadPersistents() {
-  MutexLocker lock(ProcessHeap::CrossThreadPersistentMutex());
+#if DCHECK_IS_ON()
+  DCHECK(ProcessHeap::CrossThreadPersistentMutex().Locked());
+#endif
  int persistent_count = 0;
  for (PersistentNodeSlots* slots = persistent_region_.slots_; slots;
       slots = slots->next_) {