-
Ulan Degenbaev authored
This patch ensures that an object returned by AllocateRaw is marked black if black allocation starts during the object allocation. This fixes the following issue: 1) Generated code requests allocation of size N for folded allocation. 2) Runtime gets a free list node at address A of size N+M and sets up a linear allocation area with top = A+N and limit = A+N+M. 3) Runtime invokes the allocation observer that starts incremental marking and start black allocation. The area [A+N, A+N+M) is marked black. 4) Runtime returns a white object at address A as the allocation result. 5) Generated code moves the top pointer to A and does bump pointer allocations of white objects from A to A+N+M. 6) Object allocated new A+N can have the impossible marbit pattern. Bug: chromium:694255 Change-Id: I09ceebc97a510fa5fe4ff20706bc46a99f8b7cf4 Reviewed-on: https://chromium-review.googlesource.com/638338 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by:
Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#48005}
97b2a814
