[heap] Scavenger: Fix benign race in LayoutDescriptor access

We need to write the slot with a relaxed write. No additional barrier is needed because the new object has been published using Release_CAS and reading either value is fine (as long as all initializing stores have been published). NOTRY=true Bug: chromium:738865 Change-Id: Ieeacccf00e0a7e8eb950eee01060bd1963e30a42 Reviewed-on: https://chromium-review.googlesource.com/589007 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#46924}

[heap] Scavenger: Fix benign race in LayoutDescriptor access
We need to write the slot with a relaxed write. No additional barrier is needed because the new object has been published using Release_CAS and reading either value is fine (as long as all initializing stores have been published). NOTRY=true Bug: chromium:738865 Change-Id: Ieeacccf00e0a7e8eb950eee01060bd1963e30a42 Reviewed-on: https://chromium-review.googlesource.com/589007 Commit-Queue: Michael Lippautz <mlippautz@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#46924}
bb840f4f · Michael Lippautz · Commit Bot · f5d42fc4 · bb840f4f
Commit bb840f4f authored Jul 27, 2017 by Michael Lippautz Committed by Commit Bot Jul 27, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

scavenger-inl.h src/heap/scavenger-inl.h +3 -0

No files found.
--- a/src/heap/scavenger-inl.h
+++ b/src/heap/scavenger-inl.h
@@ -239,6 +239,9 @@ void Scavenger::ScavengeObject(HeapObject** p, HeapObject* object) {
    HeapObject* dest = first_word.ToForwardingAddress();
    DCHECK(object->GetIsolate()->heap()->InFromSpace(*p));
    *p = dest;
+    // We require a relaxed store here since the slot might be in the map
+    // (e.g. LayoutDescriptor) and thus used for checking the layout.
+    base::AsAtomicWord::Relaxed_Store(p, dest);
    return;
  }