Fix incorrect DCHECK in ExternalPointerTable::Mark

The DCHECK is not correct: if we're marking a not-fully-initialized object, then the handle can change from its uninitialized value (zero) to a valid handle prior to this DCHECK, therefore causing it to fail. This scenario is fine though, since the new entry will already be marked as alive as it has just been allocated. To fix that, the DCHECK now allows the two values to mismatch iff the handle is zero. Bug: v8:13297 Change-Id: If640d457da1d78a3d1666ffa930c27116a6080c5 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3981553 Commit-Queue: Samuel Groß <saelo@chromium.org> Reviewed-by: Igor Sheludko <ishell@chromium.org> Cr-Commit-Position: refs/heads/main@{#83931}
2022-10-26 11:09:14 +00:00 · 2022-10-26 11:09:14 +00:00 · 5571f9973c
commit 5571f9973c
parent 77da3d0dcd
1 changed files with 8 additions and 1 deletions
--- a/src/sandbox/external-pointer-table-inl.h
+++ b/src/sandbox/external-pointer-table-inl.h
@ -144,7 +144,14 @@ uint32_t ExternalPointerTable::FreelistSize() {
 void ExternalPointerTable::Mark(ExternalPointerHandle handle,
                                Address handle_location) {
  static_assert(sizeof(base::Atomic64) == sizeof(Address));
-  DCHECK_EQ(handle, *reinterpret_cast<ExternalPointerHandle*>(handle_location));
+  // The handle_location must contain the given handle. The only exception to
+  // this is when the handle is zero, which means that it hasn't yet been
+  // initialized. In that case, the handle may be initialized between the
+  // caller loading it and this DCHECK loading it again, in which case the two
+  // values would not be the same. This scenario is unproblematic though as the
+  // new entry will already be marked as alive as it has just been allocated.
+  DCHECK(handle == kNullExternalPointerHandle ||
+         handle == *reinterpret_cast<ExternalPointerHandle*>(handle_location));

  uint32_t index = HandleToIndex(handle);