[heap] Fix a data race in layout descriptor.

The race happens when the layout descriptor is evacuated at the same time as an object that has this layout descriptor is evacuated. Change-Id: I0a5fc545cf359fdfe738d8b6359713f5ea170986 Reviewed-on: https://chromium-review.googlesource.com/544953 Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Michael Lippautz <mlippautz@chromium.org> Cr-Commit-Position: refs/heads/master@{#46175}
2017-06-23 13:58:41 +02:00 · 2017-06-23 13:58:41 +02:00 · 2a614f95bd
commit 2a614f95bd
parent c503b80595
2 changed files with 6 additions and 14 deletions
--- a/src/layout-descriptor-inl.h
+++ b/src/layout-descriptor-inl.h
@ -135,18 +135,11 @@ int LayoutDescriptor::capacity() {


 LayoutDescriptor* LayoutDescriptor::cast_gc_safe(Object* object) {
-  if (object->IsSmi()) {
-    // Fast mode layout descriptor.
-    return reinterpret_cast<LayoutDescriptor*>(object);
-  }
-
-  // This is a mixed descriptor which is a fixed typed array.
-  MapWord map_word = reinterpret_cast<HeapObject*>(object)->map_word();
-  if (map_word.IsForwardingAddress()) {
-    // Mark-compact has already moved layout descriptor.
-    object = map_word.ToForwardingAddress();
-  }
-  return LayoutDescriptor::cast(object);
+  // The map word of the object can be a forwarding pointer during
+  // object evacuation phase of GC. Since the layout descriptor methods
+  // for checking whether a field is tagged or not do not depend on the
+  // object map, it should be safe.
+  return reinterpret_cast<LayoutDescriptor*>(object);
 }

 int LayoutDescriptor::GetSlowModeBackingStoreLength(int length) {
--- a/test/cctest/test-unboxed-doubles.cc
+++ b/test/cctest/test-unboxed-doubles.cc
@ -609,8 +609,7 @@ TEST(LayoutDescriptorCreateNewSlow) {
    layout_desc->set_map_word(
        MapWord::FromForwardingAddress(*layout_descriptor_copy));
    CHECK(layout_desc->map_word().IsForwardingAddress());
-    CHECK_EQ(*layout_descriptor_copy,
-             LayoutDescriptor::cast_gc_safe(layout_desc));
+    CHECK_EQ(layout_desc, LayoutDescriptor::cast_gc_safe(layout_desc));

    // Restore it back.
    layout_desc->set_map_word(map_word);