Commit 52b62586 authored by Mike Stanton's avatar Mike Stanton Committed by V8 LUCI CQ

[compiler] Fix data race in PropertyArray length and hash

The PropertyArray may store the hash of it's parent object. This hash
can be installed at various points. Meanwhile, the background compiler
thread inspects the length field.

BUG=chromium:1220974

Change-Id: I7b13fd4546fb48e649fcbf67dee02d7c668393f2
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2967471
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75208}
parent c49bd068
......@@ -572,7 +572,7 @@ base::Optional<ObjectRef> GetOwnFastDataPropertyFromHeap(
}
PropertyArray properties = PropertyArray::cast(raw_properties_or_hash);
const int array_index = field_index.outobject_array_index();
if (array_index < properties.length()) {
if (array_index < properties.length(kAcquireLoad)) {
constant = properties.get(array_index);
} else {
TRACE_BROKER_MISSING(
......
......@@ -74,7 +74,7 @@ int PropertyArray::Hash() const { return HashField::decode(length_and_hash()); }
void PropertyArray::SetHash(int hash) {
int value = length_and_hash();
value = HashField::update(value, hash);
set_length_and_hash(value);
set_length_and_hash(value, kReleaseStore);
}
void PropertyArray::CopyElements(Isolate* isolate, int dst_index,
......
// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --stress-concurrent-inlining --expose-gc
(function () {
assertArrayEquals = function assertArrayEquals() {};
assertContains = function () {};
assertPromiseResult = function () {};
isNeverOptimizeLiteMode = function isNeverOptimizeLiteMode() {};
isUnoptimized = function isUnoptimized() {};
isOptimized = function isOptimized() {};
isTurboFanned = function isTurboFanned() {};
})();
(function (global) {
assertEq = function assertEq() {}
function reportFailure() {}
global.reportFailure = reportFailure;
function printStatus() {}
global.printStatus = printStatus;
})(this);
(function (global) {
global.completesNormally = function completesNormally() {};
global.raisesException = function raisesException() {};
global.deepEqual = function deepEqual() {}
global.assertThrowsInstanceOf = function assertThrowsInstanceOf() {};
global.assertDeepEq = function () {
var call = Function.prototype.call,
Map_ = Map,
Map_set = call.bind(Map.prototype.set),
Object_getPrototypeOf = Object.getPrototypeOf,
Object_isExtensible = Object.isExtensible = Object.getOwnPropertyNames;
function isPrimitive() {}
return function assertDeepEq(a, b, options) {
function assertSameProto() {
check(a, Object_getPrototypeOf(b), );
}
function assertSameProps() {};
var bpath = new Map_();
function check(a, b) {
if (typeof a === "symbol") {
} else {
Map_set(bpath, b);
assertSameProto();
}
}
check();
};
}();
})(this);
function __isPropertyOfType(obj, name) {
desc = Object.getOwnPropertyDescriptor( name);
return typeof type === 'undefined' || typeof desc.value === type;
}
function __getProperties(obj, type) {
let properties = [];
for (let name of Object.getOwnPropertyNames(obj)) {
if (__isPropertyOfType(obj, name, type)) properties.push(name);
}
}
function* __getObjects(root = this, level = 0) {
let obj_names = __getProperties(root);
for (let obj_name of obj_names) {
}
}
function __getRandomObject() {
for (let obj of __getObjects()) {
}
}
function runNearStackLimit() {}
try {
__getRandomObject()(), {};
} catch (e) {}
try {
delete __getRandomObject()[__getRandomProperty()]();
} catch (e) {}
try {
__getRandomObject()[703044] = __callGC();
} catch (e) {}
try {
__getRandomObject(), {
get: function () {}
};
} catch (e) {}
try {
__getRandomObject(), {};
} catch (e) {}
try {
(function __f_30() {
try {
__getRandomObject()[__getRandomProperty()]();
} catch (e) {}
try {
__getRandomObject()(), {};
} catch (e) {}
__getRandomObject()[1004383]();
})();
} catch (e) {}
try {
assertDeepEq(Array.from("anything"), []);
} catch (e) {}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment