• Marja Hölttä's avatar
    [heap] Fix iterating uninitialized TransitionArrays. · d82e8f37
    Marja Hölttä authored
    This pattern seems to reoccur in the code:
    
    Handle<TransitionArray> array = TransitionArray::Allocate(...);
    <something that causes allocation>
    // Fill up the array
    array->set(...);
    
    If the allocation causes GC, we try to iterate the TransitionArrray
    in MarkCompactCollector::ClearFullMapTransitions, and that crashes because it
    expects the TransitionArray to contain handlers (not undefined).
    
    This bug is present e.g., in TransitionAccessor::EnsureHasFullTransition.
    
    BUG=v8:7308
    
    Change-Id: I306204fc27d62041801427c466c82d1d9df1bf0c
    Reviewed-on: https://chromium-review.googlesource.com/997493
    Commit-Queue: Marja Hölttä <marja@chromium.org>
    Reviewed-by: 's avatarUlan Degenbaev <ulan@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#52386}
    d82e8f37
transitions.h 13.3 KB