AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[heap] Fix benign data race with string length.

Browse Source 
Factory::NewRawOneByteString initializes the string length without
atomic accessor. This leads to data race if the string is pretenured
and black allocated because the concurrent marker loads the string
length before checking the string markbits.

This patch changes the order to check the markbits first.

Bug: v8:8579
Change-Id: Ic434f7dde9baa6264fe133499d2394c0d4cc5394
Reviewed-on: https://chromium-review.googlesource.com/c/1388542
Commit-Queue: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Cr-Commit-Position: refs/heads/master@{#58465}
This commit is contained in:
Ulan Degenbaev 2018-12-21 16:45:29 +01:00 committed by Commit Bot
parent eb537d7485
commit 9a0fcfd848
1 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/heap/concurrent-marking.cc
View File

@ -300,17 +300,15 @@ class ConcurrentMarkingVisitor final
// ===========================================================================
int VisitSeqOneByteString(Map map, SeqOneByteString object) {
int size = SeqOneByteString::SizeFor(object->synchronized_length());
if (!ShouldVisit(object)) return 0;
VisitMapPointer(object, object->map_slot());
return size;
return SeqOneByteString::SizeFor(object->synchronized_length());
}
int VisitSeqTwoByteString(Map map, SeqTwoByteString object) {
int size = SeqTwoByteString::SizeFor(object->synchronized_length());
if (!ShouldVisit(object)) return 0;
VisitMapPointer(object, object->map_slot());
return size;
return SeqTwoByteString::SizeFor(object->synchronized_length());
}
// ===========================================================================