Fix segfault during GC #5900 (4.x)

[ofrobots]

Checklist

• make -j4 test (UNIX) or vcbuild test nosign (Windows) passes
• the commit message follows commit guidelines

Affected core subsystem(s)

deps: v8

Description of change

These two patches comprise a fix for #5900 – a segfault during GC that can happen under rare circumstances. The interesting part is that the one of the fixes never landed upstream in V8 because the bug doesn't exist in any active V8 branches.

The segfault occurs at the intersection of the following three conditions that are dependent on the allocation pattern of an application: A pretenured (1) allocation site has to be optimized into a merged allocation by the allocation folding optimization (2) and there needs to be overflow of the store buffer (3).

This second patch disables the allocation folding optimization for pretenured allocations. This may have some, hopefully negligible, performance impact on real world applications.

This also needs to be fixed in v5.x; but I'm not sure how much runway is left on that branch and whether it would give us sufficient feedback. Regardless, I think an independent determination can be made whether this is worth fixing on v4.x in the first place (given than the scenario is rare).

R=@nodejs/lts
/cc @nodejs/v8

[targos]

The patch LGTM.

[bnoordhuis]

LGTM. Do the V8 and node.js test suite pass with this change?

[ofrobots]

CI: https://ci.nodejs.org/job/node-test-pull-request/3003/
V8 tests: https://ci.nodejs.org/view/All/job/node-test-commit-v8-linux/135/

[indutny]

@ofrobots do we have understand of what particular call site is causing segfault? Rubber-stamp LGTM

[ofrobots]

@indutny The crash happens when the StoreBuffer is iterating pointers to new space:

(lldb) bt * thread #1: tid = 0x135643b, 0x00000001003956c4 node`v8::internal::StoreBuffer::IteratePointersToNewSpace(void (*)(v8::internal::HeapObject**, v8::internal::HeapObject*)) + 1972, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x7) * frame #0: 0x00000001003956c4 node`v8::internal::StoreBuffer::IteratePointersToNewSpace(void (*)(v8::internal::HeapObject**, v8::internal::HeapObject*)) + 1972 frame #1: 0x0000000100331899 node`v8::internal::Heap::Scavenge() + 1273 frame #2: 0x00000001003301cf node`v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) + 879 frame #3: 0x000000010032fb91 node`v8::internal::Heap::CollectGarbage(v8::internal::GarbageCollector, char const*, char const*, v8::GCCallbackFlags) + 689 frame #4: 0x00000001002e88bc node`v8::internal::Factory::NewFillerObject(int, bool, v8::internal::AllocationSpace) + 108 frame #5: 0x000000010053431e node`v8::internal::Runtime_AllocateInTargetSpace(int, v8::internal::Object**, v8::internal::Isolate*) + 110 

[ofrobots]

And there was a secondary bug in --verify-heap.

[ofrobots]

It seems like it is not possible to run the V8 tests in CI on the v4.x branch? (/cc @mhdawson). See https://ci.nodejs.org/view/All/job/node-test-commit-v8-linux/135/.

I will run them manually and report back.

[ofrobots]

V8 tests pass for me when run manually on a mac.

[MylesBorins]

running v8 tests in CI

https://ci.nodejs.org/job/node-test-commit-v8-linux/171/

Will land if green

[MylesBorins]

CI is green LGTM

[MylesBorins]

landed in 5ba807a...e319d76