[compiler] Fix JSHeapBroker::GetOrCreateData()

... which might use an outdated result of a lookup. Currently it's not an issue, since we don't reuse container's backing stores allocated in zone memory. Bug: v8:7790 Change-Id: I30cc0ba747fd704403422711d1f1a5952fe6d68c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2301931 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68894}

[compiler] Fix JSHeapBroker::GetOrCreateData()
... which might use an outdated result of a lookup. Currently it's not an issue, since we don't reuse container's backing stores allocated in zone memory. Bug: v8:7790 Change-Id: I30cc0ba747fd704403422711d1f1a5952fe6d68c Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2301931 Commit-Queue: Igor Sheludko <ishell@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68894}
bd6450e6 · Igor Sheludko · Commit Bot · 4d4cdaf4 · bd6450e6
Commit bd6450e6 authored Jul 16, 2020 by Igor Sheludko Committed by Commit Bot Jul 16, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 13 deletions

js-heap-broker.cc src/compiler/js-heap-broker.cc +19 -13

No files found.
--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@@ -2708,28 +2708,34 @@ void JSHeapBroker::InitializeAndStartSerializing(
 // clang-format off
 ObjectData* JSHeapBroker::GetOrCreateData(Handle<Object> object) {
  RefsMap::Entry* entry = refs_->LookupOrInsert(object.address());
-  ObjectData** data_storage = &(entry->value);
-  if (*data_storage == nullptr) {
+  ObjectData* object_data = entry->value;
+
+  if (object_data == nullptr) {
+    ObjectData** data_storage = &(entry->value);
    // TODO(neis): Remove these Allow* once we serialize everything upfront.
    AllowHandleDereference handle_dereference;
    if (object->IsSmi()) {
-      zone()->New<ObjectData>(this, data_storage, object, kSmi);
+      object_data = zone()->New<ObjectData>(this, data_storage, object, kSmi);
    } else if (IsReadOnlyHeapObject(*object)) {
-      zone()->New<ObjectData>(this, data_storage, object,
-                              kUnserializedReadOnlyHeapObject);
-#define CREATE_DATA_IF_MATCH(name)                                             \
-    } else if (object->Is##name()) {                                           \
-      CHECK(SerializingAllowed());                                             \
-      AllowHandleAllocation handle_allocation;                                 \
-      zone()->New<name##Data>(this, data_storage, Handle<name>::cast(object));
-    HEAP_BROKER_OBJECT_LIST(CREATE_DATA_IF_MATCH)
+      object_data = zone()->New<ObjectData>(this, data_storage, object,
+                                            kUnserializedReadOnlyHeapObject);
+#define CREATE_DATA_IF_MATCH(name)                              \
+    } else if (object->Is##name()) {                            \
+      CHECK(SerializingAllowed());                              \
+      AllowHandleAllocation handle_allocation;                  \
+      object_data = zone()->New<name##Data>(this, data_storage, \
+                                            Handle<name>::cast(object));
+
+      HEAP_BROKER_OBJECT_LIST(CREATE_DATA_IF_MATCH)
 #undef CREATE_DATA_IF_MATCH
    } else {
      UNREACHABLE();
    }
+    // At this point the entry pointer is not guaranteed to be valid as
+    // the refs_ hash hable could be resized by one of the constructors above.
+    DCHECK_EQ(object_data, refs_->Lookup(object.address())->value);
  }
-  CHECK_NOT_NULL(*data_storage);
-  return (*data_storage);
+  return object_data;
 }
 // clang-format on