[heap] Fix a missing write barrier in Heap::Allocate.

BUG= Review-Url: https://codereview.chromium.org/2906313002 Cr-Commit-Position: refs/heads/master@{#45571}

[heap] Fix a missing write barrier in Heap::Allocate.
BUG= Review-Url: https://codereview.chromium.org/2906313002 Cr-Commit-Position: refs/heads/master@{#45571}
b853d7fb · ulan · Commit Bot · bc32a0a7 · b853d7fb · b853d7fb
Commit b853d7fb authored May 29, 2017 by ulan Committed by Commit Bot May 29, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 38 additions and 2 deletions

heap.cc src/heap/heap.cc +4 -2

heap-tester.h test/cctest/heap/heap-tester.h +1 -0

test-heap.cc test/cctest/heap/test-heap.cc +33 -0

No files found.
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -3502,8 +3502,10 @@ AllocationResult Heap::Allocate(Map* map, AllocationSpace space,
  HeapObject* result = nullptr;
  AllocationResult allocation = AllocateRaw(size, space);
  if (!allocation.To(&result)) return allocation;
-  // No need for write barrier since object is white and map is in old space.
-  result->set_map_after_allocation(map, SKIP_WRITE_BARRIER);
+  // New space objects are allocated white.
+  WriteBarrierMode write_barrier_mode =
+      space == NEW_SPACE ? SKIP_WRITE_BARRIER : UPDATE_WRITE_BARRIER;
+  result->set_map_after_allocation(map, write_barrier_mode);
  if (allocation_site != NULL) {
    AllocationMemento* alloc_memento = reinterpret_cast<AllocationMemento*>(
        reinterpret_cast<Address>(result) + map->instance_size());

--- a/test/cctest/heap/heap-tester.h
+++ b/test/cctest/heap/heap-tester.h
@@ -34,6 +34,7 @@
  V(Regress658718)                                        \
  V(Regress670675)                                        \
  V(Regress5831)                                          \
+  V(RegressMissingWriteBarrierInAllocate)                 \
  V(WriteBarriersInCopyJSObject)

 #define HEAP_TEST(Name)                                                       \

--- a/test/cctest/heap/test-heap.cc
+++ b/test/cctest/heap/test-heap.cc
@@ -6353,5 +6353,38 @@ HEAP_TEST(Regress5831) {
  CHECK(chunk->NeverEvacuate());
 }

+HEAP_TEST(RegressMissingWriteBarrierInAllocate) {
+  if (!FLAG_incremental_marking) return;
+  FLAG_black_allocation = true;
+  CcTest::InitializeVM();
+  v8::HandleScope scope(CcTest::isolate());
+  Heap* heap = CcTest::heap();
+  Isolate* isolate = heap->isolate();
+  CcTest::CollectAllGarbage();
+  heap::SimulateIncrementalMarking(heap, false);
+  Map* map;
+  {
+    AlwaysAllocateScope always_allocate(isolate);
+    map = Map::cast(heap->AllocateMap(HEAP_NUMBER_TYPE, HeapNumber::kSize)
+                        .ToObjectChecked());
+  }
+  heap->incremental_marking()->StartBlackAllocationForTesting();
+  Handle<HeapObject> object;
+  {
+    AlwaysAllocateScope always_allocate(isolate);
+    object = Handle<HeapObject>(
+        heap->Allocate(map, OLD_SPACE).ToObjectChecked(), isolate);
+  }
+  // The object is black. If Heap::Allocate sets the map without write-barrier,
+  // then the map is white and will be freed prematurely.
+  heap::SimulateIncrementalMarking(heap, true);
+  CcTest::CollectAllGarbage();
+  MarkCompactCollector* collector = heap->mark_compact_collector();
+  if (collector->sweeping_in_progress()) {
+    collector->EnsureSweepingCompleted();
+  }
+  CHECK(object->map()->IsMap());
+}
+
 }  // namespace internal
 }  // namespace v8