• Michael Lippautz's avatar
    [heap] Fix ArrayBufferTracker accessing already swept byte length · 55d00c95
    Michael Lippautz authored
    The tracker needs to maintain the byte length as there is no order guarantee
    when sweeping pages and the byte length may be a HeapNumber that is stored on a
    different page.
    
    The abstraction for ArrayBuffers is left untouched. We distinguish between the
    following cases:
    1. Regular AB (backing_store and bye_length should be used)
    2. AB allocated using kReservation but not part of wasm
    3. AB allocated using kReservation and part of wasm
    
    In practice, 2. does not exist, but we still maintain "allocation_base" and
    "allocation_length" which fall back to backing_store and byte_length in this
    case. The problematic part is that they look like innocent getters on the
    object but actually refer to different data structures or on-heap objects.
    
    Since 2. does not exist, and 3. looks up the bounds in its own tracker, it is
    fine for ArrayBufferTracker to pass backing_store and tracked byte_length.
    
    Bug: v8:7701
    Change-Id: Ib89d5fe94fce5cef8e5d8343a5415a3b9ad0deba
    Reviewed-on: https://chromium-review.googlesource.com/1039385Reviewed-by: 's avatarBen Titzer <titzer@chromium.org>
    Reviewed-by: 's avatarHannes Payer <hpayer@chromium.org>
    Commit-Queue: Michael Lippautz <mlippautz@chromium.org>
    Cr-Commit-Position: refs/heads/master@{#52923}
    55d00c95
objects.cc 702 KB