[compiler] Get the Map's instance type concurrently

The instance type is set before setting the map inside an Object. It is relaxed and not non-atomic to prevent a false positive TSAN failure (see https://chromium-review.googlesource.com/c/v8/v8/+/2682641). Bug: v8:7790 Change-Id: Iddd28ffb06b5a882e77c4bf88bf8580df792f198 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2773042 Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Santiago Aboy Solanes <solanes@chromium.org> Cr-Commit-Position: refs/heads/master@{#73570}
2021-03-18 15:15:12 +00:00 · 2021-03-18 15:15:12 +00:00 · 7ace5189a2
commit 7ace5189a2
parent 977e1c9ea6
2 changed files with 3 additions and 1 deletions
--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@ -3486,7 +3486,7 @@ BIMODAL_ACCESSOR_C(Map, int, instance_size)
 BIMODAL_ACCESSOR_C(Map, int, NextFreePropertyIndex)
 BIMODAL_ACCESSOR_C(Map, int, UnusedPropertyFields)
 BIMODAL_ACCESSOR(Map, HeapObject, prototype)
-BIMODAL_ACCESSOR_C(Map, InstanceType, instance_type)
+BIMODAL_ACCESSOR_WITH_FLAG_C(Map, InstanceType, instance_type)
 BIMODAL_ACCESSOR_WITH_FLAG(Map, Object, GetConstructor)
 BIMODAL_ACCESSOR_WITH_FLAG(Map, HeapObject, GetBackPointer)
 BIMODAL_ACCESSOR_C(Map, bool, is_abandoned_prototype_map)
--- a/src/objects/map-inl.h
+++ b/src/objects/map-inl.h
@ -314,6 +314,8 @@ Handle<Map> Map::AddMissingTransitionsForTesting(
  return AddMissingTransitions(isolate, split_map, descriptors);
 }

+// TODO(solanes, v8:7790, v8:11353): Make the instance_type accessors non-atomic
+// when TSAN sees the map's store synchronization.
 InstanceType Map::instance_type() const {
  return static_cast<InstanceType>(
      RELAXED_READ_UINT16_FIELD(*this, kInstanceTypeOffset));