[heap] Fix data race in JSObject::RawFastDoublePropertyAsBitsAtPut with

concurrent marking. The function should use relaxed store similar to other JSObject setters. BUG=chromium:694255 Change-Id: I032f0763a5f2420d120bce976533aa0007868b97 Reviewed-on: https://chromium-review.googlesource.com/565573Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#46535}

[heap] Fix data race in JSObject::RawFastDoublePropertyAsBitsAtPut with
concurrent marking. The function should use relaxed store similar to other JSObject setters. BUG=chromium:694255 Change-Id: I032f0763a5f2420d120bce976533aa0007868b97 Reviewed-on: https://chromium-review.googlesource.com/565573Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#46535}
e4b3f6a7 · Ulan Degenbaev · Commit Bot · b707c602 · e4b3f6a7
Commit e4b3f6a7 authored Jul 10, 2017 by Ulan Degenbaev Committed by Commit Bot Jul 10, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

objects-inl.h src/objects-inl.h +5 -1

No files found.
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -1569,7 +1569,11 @@ void JSObject::RawFastPropertyAtPut(FieldIndex index, Object* value) {

 void JSObject::RawFastDoublePropertyAsBitsAtPut(FieldIndex index,
                                                uint64_t bits) {
-  WRITE_UINT64_FIELD(this, index.offset(), bits);
+  // Double unboxing is enabled only on 64-bit platforms.
+  DCHECK_EQ(kDoubleSize, kPointerSize);
+  Address field_addr = FIELD_ADDR(this, index.offset());
+  base::Relaxed_Store(reinterpret_cast<base::AtomicWord*>(field_addr),
+                      static_cast<base::AtomicWord>(bits));
 }

 void JSObject::FastPropertyAtPut(FieldIndex index, Object* value) {