-
hpayer authored
The race can happen if: 1) Fixed array A is right before object B in new space 2) A slot in object C located in old space points to object B (old to new remembered set entry is created) 3) Object C becomes unreachable which held the only reference to object B which also becomes unreachable 4) Fixed array A gets right trimmed 5) The sweeper will sweep the last word of object A and object B. It will write the free space map into the last word of object A and a size field in the first word of object B. 6) Pointer updating may observe the size field now because the recored slot points to the start of object B and will confuse it with a forwarding pointer. Note a similar race may happen with left trimming. Array A points to its backing store, the backing store gets left trimmed by 1 element, and array A dies. BUG= Review-Url: https://codereview.chromium.org/2416563002 Cr-Commit-Position: refs/heads/master@{#40218}
13488842
