• Seth Brenith's avatar
    [torque] Stricter object field verification, part 1 · 3834c637
    Seth Brenith authored
    This change adjusts object initialization order for a few classes so
    that the GC can never see those objects in an invalid, partially-
    initialized state.
    
    AccessorInfo: Just zeros out a few fields upon construction. This is the
    simplest case.
    
    FunctionTemplateInfo: Slightly changes the order in which fields are
    set, so that the Smi field is set ahead of the call to SetCallHandler,
    which can GC. Also a pretty simple case.
    
    JSListFormat, JSPluralRules, JSRelativeTimeFormat, JSSegmenter: The spec
    requires that we start with OrdinaryCreateFromConstructor, which has
    observable side effects (it fetches the prototype from the new.target).
    So we split JSObject::New in half: the first half does all of the user-
    visible things and returns a Map, which we can pass to the second half
    when we're ready to actually allocate the object.
    
    JSTypedArray: Extends the pattern from JSListFormat into Torque code:
    start with a Map and don't allocate the object until we're ready to set
    all of its properties.
    
    Bug: v8:9311
    Change-Id: Id7703e8a0727ec756c774cfbb56af787658a111a
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1646844
    Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
    Reviewed-by: 's avatarJakob Gruber <jgruber@chromium.org>
    Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
    Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
    Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#62123}
    3834c637
factory.cc 166 KB