• Dominik Inführ's avatar
    [heap] Immediately update external memory on JSArrayBuffer::Detach · edd27c77
    Dominik Inführ authored
    This CL changes the accounting of array buffers, such that Detach
    deducts the backing store immediately. Previously this was corrected
    in the next GC cycle.
    
    Not updating backing_store_bytes_ immediately could cause an overflow
    in WasmMemoryObject::Grow. Grow first detaches the backing store from
    the old JSArrayBuffer and then attaches it to a new one. This results
    in the backing store being accounted twice temporarily, this could cause
    overflows on 32-bit systems.
    
    Bug: chromium:1204455
    Change-Id: I7cf2ca9a12bb5caf7bcffa25a34567774cf155b8
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2871458
    Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
    Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#74429}
    edd27c77
js-array-buffer.h 14.3 KB