• Dominik Inführ's avatar
    [objects] Update JSArrayBuffer::extension-field in two steps · 1f35c165
    Dominik Inführ authored
    The JSArrayBuffer::extension-field might not be aligned with pointer
    compression enabled. However on AArch64 pointers need to be aligned if
    you perform atomic operations on them. Therefore split extension into
    two 32-bit words that each get updated atomically. There is no ABA
    problem here since the extension field only transitions from
    NULL --> value --> NULL. After Detach(), Attach() isn't invoked anymore.
    
    Bug: v8:10064
    Change-Id: If987ed51f0528ca7313980f3d36ffca300b75fdc
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2071256
    Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
    Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#66457}
    1f35c165
js-array-buffer-inl.h 10.3 KB