AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[strings] Fix flattening ConsStrings with StringForwardingTable enabled

Browse Source 
When using the StringForwardingTable for all strings, string shapes can
change during GC. This led to an issue when a ConsString was
transitioned to a ThinString (and potentially shortcutted to
InternalizedString) while flattening.

Bug: chromium:1335826, chromium:1329726
Change-Id: Ide243a5e24fd41374053972fb7bab8217d7a14fd
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3705377
Reviewed-by: Camillo Bruni <cbruni@chromium.org>
Commit-Queue: Camillo Bruni <cbruni@chromium.org>
Auto-Submit: Patrick Thier <pthier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#81131}
This commit is contained in:
Patrick Thier 2022-06-14 09:12:10 +00:00 committed by V8 LUCI CQ
parent ec009ba29c
commit 8c10f67611
1 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
src/objects/string.cc
View File

@ -61,6 +61,14 @@ Handle<String> String::SlowFlatten(Isolate* isolate, Handle<ConsString> cons,
isolate->factory()
->NewRawOneByteString(length, allocation)
.ToHandleChecked();
// When the ConsString had a forwarding index, it is possible that it was
// transitioned to a ThinString (and eventually shortcutted to
// InternalizedString) during GC.
if (V8_UNLIKELY(FLAG_always_use_string_forwarding_table &&
!cons->IsConsString())) {
DCHECK(cons->IsInternalizedString() || cons->IsThinString());
return String::Flatten(isolate, cons, allocation);
}
DisallowGarbageCollection no_gc;
WriteToFlat(*cons, flat->GetChars(no_gc), 0, length);
result = flat;
@ -69,6 +77,14 @@ Handle<String> String::SlowFlatten(Isolate* isolate, Handle<ConsString> cons,
isolate->factory()
->NewRawTwoByteString(length, allocation)
.ToHandleChecked();
// When the ConsString had a forwarding index, it is possible that it was
// transitioned to a ThinString (and eventually shortcutted to
// InternalizedString) during GC.
if (V8_UNLIKELY(FLAG_always_use_string_forwarding_table &&
!cons->IsConsString())) {
DCHECK(cons->IsInternalizedString() || cons->IsThinString());
return String::Flatten(isolate, cons, allocation);
}
DisallowGarbageCollection no_gc;
WriteToFlat(*cons, flat->GetChars(no_gc), 0, length);
result = flat;