[heap] Fix a data race in layout descriptor.

The race happens when the layout descriptor is evacuated at the same time as an object that has this layout descriptor is evacuated. Change-Id: I0a5fc545cf359fdfe738d8b6359713f5ea170986 Reviewed-on: https://chromium-review.googlesource.com/544953 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#46175}

[heap] Fix a data race in layout descriptor.
The race happens when the layout descriptor is evacuated at the same time as an object that has this layout descriptor is evacuated. Change-Id: I0a5fc545cf359fdfe738d8b6359713f5ea170986 Reviewed-on: https://chromium-review.googlesource.com/544953 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#46175}
2a614f95 · Ulan Degenbaev · Commit Bot · c503b805 · 2a614f95 · 2a614f95
Commit 2a614f95 authored Jun 23, 2017 by Ulan Degenbaev Committed by Commit Bot Jun 23, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 14 deletions

layout-descriptor-inl.h src/layout-descriptor-inl.h +5 -12

test-unboxed-doubles.cc test/cctest/test-unboxed-doubles.cc +1 -2

No files found.
--- a/src/layout-descriptor-inl.h
+++ b/src/layout-descriptor-inl.h
@@ -135,18 +135,11 @@ int LayoutDescriptor::capacity() {
 LayoutDescriptor* LayoutDescriptor::cast_gc_safe(Object* object) {
-  if (object->IsSmi()) {
+  // The map word of the object can be a forwarding pointer during
-    // Fast mode layout descriptor.
+  // object evacuation phase of GC. Since the layout descriptor methods
-    return reinterpret_cast<LayoutDescriptor*>(object);
+  // for checking whether a field is tagged or not do not depend on the
-  }
+  // object map, it should be safe.
+  return reinterpret_cast<LayoutDescriptor*>(object);
-  // This is a mixed descriptor which is a fixed typed array.
-  MapWord map_word = reinterpret_cast<HeapObject*>(object)->map_word();
-  if (map_word.IsForwardingAddress()) {
-    // Mark-compact has already moved layout descriptor.
-    object = map_word.ToForwardingAddress();
-  }
-  return LayoutDescriptor::cast(object);
 }
 int LayoutDescriptor::GetSlowModeBackingStoreLength(int length) {

--- a/test/cctest/test-unboxed-doubles.cc
+++ b/test/cctest/test-unboxed-doubles.cc
@@ -609,8 +609,7 @@ TEST(LayoutDescriptorCreateNewSlow) {
    layout_desc->set_map_word(
        MapWord::FromForwardingAddress(*layout_descriptor_copy));
    CHECK(layout_desc->map_word().IsForwardingAddress());
-    CHECK_EQ(*layout_descriptor_copy,
+    CHECK_EQ(layout_desc, LayoutDescriptor::cast_gc_safe(layout_desc));
-             LayoutDescriptor::cast_gc_safe(layout_desc));
    // Restore it back.
    layout_desc->set_map_word(map_word);