[strings] Fix flattening ConsStrings with StringForwardingTable enabled

When using the StringForwardingTable for all strings, string shapes can change during GC. This led to an issue when a ConsString was transitioned to a ThinString (and potentially shortcutted to InternalizedString) while flattening. Bug: chromium:1335826, chromium:1329726 Change-Id: Ide243a5e24fd41374053972fb7bab8217d7a14fd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705377Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Auto-Submit: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#81131}

[strings] Fix flattening ConsStrings with StringForwardingTable enabled
When using the StringForwardingTable for all strings, string shapes can change during GC. This led to an issue when a ConsString was transitioned to a ThinString (and potentially shortcutted to InternalizedString) while flattening. Bug: chromium:1335826, chromium:1329726 Change-Id: Ide243a5e24fd41374053972fb7bab8217d7a14fd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705377Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Camillo Bruni <cbruni@chromium.org> Auto-Submit: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#81131}
8c10f676 · Patrick Thier · V8 LUCI CQ · ec009ba2 · 8c10f676
Commit 8c10f676 authored Jun 14, 2022 by Patrick Thier Committed by V8 LUCI CQ Jun 14, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 0 deletions

string.cc src/objects/string.cc +16 -0

No files found.
--- a/src/objects/string.cc
+++ b/src/objects/string.cc
@@ -61,6 +61,14 @@ Handle<String> String::SlowFlatten(Isolate* isolate, Handle<ConsString> cons,
        isolate->factory()
            ->NewRawOneByteString(length, allocation)
            .ToHandleChecked();
+    // When the ConsString had a forwarding index, it is possible that it was
+    // transitioned to a ThinString (and eventually shortcutted to
+    // InternalizedString) during GC.
+    if (V8_UNLIKELY(FLAG_always_use_string_forwarding_table &&
+                    !cons->IsConsString())) {
+      DCHECK(cons->IsInternalizedString() || cons->IsThinString());
+      return String::Flatten(isolate, cons, allocation);
+    }
    DisallowGarbageCollection no_gc;
    WriteToFlat(*cons, flat->GetChars(no_gc), 0, length);
    result = flat;
@@ -69,6 +77,14 @@ Handle<String> String::SlowFlatten(Isolate* isolate, Handle<ConsString> cons,
        isolate->factory()
            ->NewRawTwoByteString(length, allocation)
            .ToHandleChecked();
+    // When the ConsString had a forwarding index, it is possible that it was
+    // transitioned to a ThinString (and eventually shortcutted to
+    // InternalizedString) during GC.
+    if (V8_UNLIKELY(FLAG_always_use_string_forwarding_table &&
+                    !cons->IsConsString())) {
+      DCHECK(cons->IsInternalizedString() || cons->IsThinString());
+      return String::Flatten(isolate, cons, allocation);
+    }
    DisallowGarbageCollection no_gc;
    WriteToFlat(*cons, flat->GetChars(no_gc), 0, length);
    result = flat;