[objects] native_context() can be null until fully initialized

A NativeContext is initialized in two steps: First the map is allocated, only afterwards the NativeContext. It could happen that there is a GC happening when allocating the NativeContext. In such a case the native_context for the Map is still set to null. Fix this by also allowing null in Map::MapVerify. Bug: v8:11695 Change-Id: Id8dcd6aef83aff4cbfff45a1e993e555cff8e7bb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2853587Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#74237}

[objects] native_context() can be null until fully initialized
A NativeContext is initialized in two steps: First the map is allocated, only afterwards the NativeContext. It could happen that there is a GC happening when allocating the NativeContext. In such a case the native_context for the Map is still set to null. Fix this by also allowing null in Map::MapVerify. Bug: v8:11695 Change-Id: Id8dcd6aef83aff4cbfff45a1e993e555cff8e7bb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2853587Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> Cr-Commit-Position: refs/heads/master@{#74237}
7b55cdd4 · Dominik Inführ · Commit Bot · 872cc036 · 7b55cdd4 · 7b55cdd4
Commit 7b55cdd4 authored Apr 27, 2021 by Dominik Inführ Committed by Commit Bot Apr 28, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 1 deletion

objects-debug.cc src/diagnostics/objects-debug.cc +5 -1

map-inl.h src/objects/map-inl.h +3 -0

map.h src/objects/map.h +1 -0

No files found.
--- a/src/diagnostics/objects-debug.cc
+++ b/src/diagnostics/objects-debug.cc
@@ -458,7 +458,11 @@ void Map::MapVerify(Isolate* isolate) {
        (kTaggedSize <= instance_size() &&
         static_cast<size_t>(instance_size()) < heap->Capacity()));
  if (IsContextMap()) {
-    CHECK(native_context().IsNativeContext());
+    // The map for the NativeContext is allocated before the NativeContext
+    // itself, so it may happen that during a GC the native_context() is still
+    // null.
+    CHECK(native_context_or_null().IsNull() ||
+          native_context().IsNativeContext());
  } else {
    if (GetBackPointer().IsUndefined(isolate)) {
      // Root maps must not have descriptors in the descriptor array that do not

--- a/src/objects/map-inl.h
+++ b/src/objects/map-inl.h
@@ -744,6 +744,9 @@ ACCESSORS_CHECKED2(Map, constructor_or_back_pointer, Object,
 ACCESSORS_CHECKED(Map, native_context, NativeContext,
                  kConstructorOrBackPointerOrNativeContextOffset,
                  IsContextMap())
+ACCESSORS_CHECKED(Map, native_context_or_null, Object,
+                  kConstructorOrBackPointerOrNativeContextOffset,
+                  (value.IsNull() || value.IsNativeContext()) && IsContextMap())
 #if V8_ENABLE_WEBASSEMBLY
 ACCESSORS_CHECKED(Map, wasm_type_info, WasmTypeInfo,
                  kConstructorOrBackPointerOrNativeContextOffset,

--- a/src/objects/map.h
+++ b/src/objects/map.h
@@ -558,6 +558,7 @@ class Map : public HeapObject {
  // and with the Wasm type info for WebAssembly object maps.
  DECL_ACCESSORS(constructor_or_back_pointer, Object)
  DECL_ACCESSORS(native_context, NativeContext)
+  DECL_ACCESSORS(native_context_or_null, Object)
  DECL_ACCESSORS(wasm_type_info, WasmTypeInfo)
  DECL_GETTER(GetConstructor, Object)
  DECL_GETTER(GetFunctionTemplateInfo, FunctionTemplateInfo)