Commit 03984947 authored by Ulan Degenbaev's avatar Ulan Degenbaev Committed by Commit Bot

[heap] Fix data race with inobject_properties access in concurrent marker.

The race happens when inobject slack tracking is being completed on the
main thread, which decrements inobject_properties. At the same time
the concurrent marker is reading inobject_properties via the
LayoutDescriptorHelper.

BUG=chromium:694255

Change-Id: I4627d66b66c6036d357b9f619e1c602f0bb47d80
Reviewed-on: https://chromium-review.googlesource.com/555210
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: 's avatarMichael Lippautz <mlippautz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#46319}
parent 95a436b2
...@@ -3213,15 +3213,16 @@ int Map::instance_size() { ...@@ -3213,15 +3213,16 @@ int Map::instance_size() {
int Map::inobject_properties_or_constructor_function_index() { int Map::inobject_properties_or_constructor_function_index() {
return READ_BYTE_FIELD(this, return RELAXED_READ_BYTE_FIELD(
kInObjectPropertiesOrConstructorFunctionIndexOffset); this, kInObjectPropertiesOrConstructorFunctionIndexOffset);
} }
void Map::set_inobject_properties_or_constructor_function_index(int value) { void Map::set_inobject_properties_or_constructor_function_index(int value) {
DCHECK(0 <= value && value < 256); DCHECK(0 <= value && value < 256);
WRITE_BYTE_FIELD(this, kInObjectPropertiesOrConstructorFunctionIndexOffset, RELAXED_WRITE_BYTE_FIELD(this,
static_cast<byte>(value)); kInObjectPropertiesOrConstructorFunctionIndexOffset,
static_cast<byte>(value));
} }
......
...@@ -11914,6 +11914,7 @@ static void ShrinkInstanceSize(Map* map, void* data) { ...@@ -11914,6 +11914,7 @@ static void ShrinkInstanceSize(Map* map, void* data) {
int old_visitor_id = Heap::GetStaticVisitorIdForMap(map); int old_visitor_id = Heap::GetStaticVisitorIdForMap(map);
#endif #endif
int slack = *reinterpret_cast<int*>(data); int slack = *reinterpret_cast<int*>(data);
DCHECK_GE(slack, 0);
map->SetInObjectProperties(map->GetInObjectProperties() - slack); map->SetInObjectProperties(map->GetInObjectProperties() - slack);
map->set_unused_property_fields(map->unused_property_fields() - slack); map->set_unused_property_fields(map->unused_property_fields() - slack);
map->set_instance_size(map->instance_size() - slack * kPointerSize); map->set_instance_size(map->instance_size() - slack * kPointerSize);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment