[heap] Fix data race with inobject_properties access in concurrent marker.

The race happens when inobject slack tracking is being completed on the main thread, which decrements inobject_properties. At the same time the concurrent marker is reading inobject_properties via the LayoutDescriptorHelper. BUG=chromium:694255 Change-Id: I4627d66b66c6036d357b9f619e1c602f0bb47d80 Reviewed-on: https://chromium-review.googlesource.com/555210 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#46319}
2017-06-29 14:01:02 +02:00 · 2017-06-29 14:01:02 +02:00 · 039849478b
commit 039849478b
parent 95a436b271
2 changed files with 6 additions and 4 deletions
--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@ -3213,15 +3213,16 @@ int Map::instance_size() {
 int Map::inobject_properties_or_constructor_function_index() {
-  return READ_BYTE_FIELD(this,
+  return RELAXED_READ_BYTE_FIELD(
-                         kInObjectPropertiesOrConstructorFunctionIndexOffset);
+      this, kInObjectPropertiesOrConstructorFunctionIndexOffset);
 }
 void Map::set_inobject_properties_or_constructor_function_index(int value) {
  DCHECK(0 <= value && value < 256);
-  WRITE_BYTE_FIELD(this, kInObjectPropertiesOrConstructorFunctionIndexOffset,
+  RELAXED_WRITE_BYTE_FIELD(this,
-                   static_cast<byte>(value));
+                           kInObjectPropertiesOrConstructorFunctionIndexOffset,
                           static_cast<byte>(value));
 }
--- a/src/objects.cc
+++ b/src/objects.cc
@ -11914,6 +11914,7 @@ static void ShrinkInstanceSize(Map* map, void* data) {
  int old_visitor_id = Heap::GetStaticVisitorIdForMap(map);
 #endif
  int slack = *reinterpret_cast<int*>(data);
  DCHECK_GE(slack, 0);
  map->SetInObjectProperties(map->GetInObjectProperties() - slack);
  map->set_unused_property_fields(map->unused_property_fields() - slack);
  map->set_instance_size(map->instance_size() - slack * kPointerSize);