[heap] Fix benign race in CopyElements

Bug: v8:9032 Change-Id: Ibd607d164bbc31aa41887db51c4ade575a37b227 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547658Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#60555}

[heap] Fix benign race in CopyElements
Bug: v8:9032 Change-Id: Ibd607d164bbc31aa41887db51c4ade575a37b227 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547658Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#60555}
60f62177 · Sigurd Schneider · Commit Bot · d4550f4a · 60f62177
Commit 60f62177 authored Apr 01, 2019 by Sigurd Schneider Committed by Commit Bot Apr 01, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 29 additions and 9 deletions

heap.cc src/heap/heap.cc +29 -9

No files found.
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -1526,18 +1526,38 @@ void Heap::MoveElements(FixedArray array, int dst_index, int src_index, int len,
  FIXED_ARRAY_ELEMENTS_WRITE_BARRIER(this, array, dst_index, len);
 }

-void Heap::CopyElements(FixedArray dst, FixedArray src, int dst_index,
-                        int src_index, int len, WriteBarrierMode mode) {
-  DCHECK_NE(dst, src);
+void Heap::CopyElements(FixedArray dst_array, FixedArray src_array,
+                        int dst_index, int src_index, int len,
+                        WriteBarrierMode mode) {
+  DCHECK_NE(dst_array, src_array);
  if (len == 0) return;

-  DCHECK_NE(dst->map(), ReadOnlyRoots(this).fixed_cow_array_map());
-  ObjectSlot dst_slot = dst->RawFieldOfElementAt(dst_index);
-  ObjectSlot src_slot = src->RawFieldOfElementAt(src_index);
-  MemMove(dst_slot.ToVoidPtr(), src_slot.ToVoidPtr(), len * kTaggedSize);
-
+  DCHECK_NE(dst_array->map(), ReadOnlyRoots(this).fixed_cow_array_map());
+  ObjectSlot dst = dst_array->RawFieldOfElementAt(dst_index);
+  ObjectSlot src = src_array->RawFieldOfElementAt(src_index);
+  if (FLAG_concurrent_marking && incremental_marking()->IsMarking()) {
+    if (dst < src) {
+      for (int i = 0; i < len; i++) {
+        dst.Relaxed_Store(src.Relaxed_Load());
+        ++dst;
+        ++src;
+      }
+    } else {
+      // Copy backwards.
+      dst += len - 1;
+      src += len - 1;
+      for (int i = 0; i < len; i++) {
+        dst.Relaxed_Store(src.Relaxed_Load());
+        --dst;
+        --src;
+      }
+    }
+  } else {
+    // TODO(sigurds): Figure out whether we can use MemCopy here.
+    MemMove(dst.ToVoidPtr(), src.ToVoidPtr(), len * kTaggedSize);
+  }
  if (mode == SKIP_WRITE_BARRIER) return;
-  FIXED_ARRAY_ELEMENTS_WRITE_BARRIER(this, dst, dst_index, len);
+  FIXED_ARRAY_ELEMENTS_WRITE_BARRIER(this, dst_array, dst_index, len);
 }

 #ifdef VERIFY_HEAP