-
Ulan Degenbaev authored
This fixes an old bug uncovered by https://chromium-review.googlesource.com/591651 The bug is a race between the concurrent sweeper clearing slots and the mutator adding slots and trimming fixed array: 1) The sweeper starts sweeping a page with an existing fixed array. 2) The sweeper pre-caches the slots clearing mode by checking if the slot set pointer on the page is null or not. (This is the bug). 3) The mutator updates the fixed array such that new slots are added. 4) The mutator trims the fixed array such that the added slots are now in free space. 5) The sweeper adds the trimmed part of the fixed array to free list, but does not clear slots there because of the cached flag. 6) A new object is allocated from the free list entry and it has a bogus slot entry recorded. Bug: chromium:752750 TBR: mlippautz@chromium.org Change-Id: I4f70514fa05b692a27d992954cb4c314ef4cac07 Reviewed-on: https://chromium-review.googlesource.com/608047Reviewed-by:
Ulan Degenbaev <ulan@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#47242}
ef0e8359
