Fix initalization of embedder fields for ArrayBuffers

This moves the initialization to JSArrayBuffer::SetupEmpty, which is the proper bottleneck for all paths constructing array buffers. Bug: chromium:1006600,v8:9380 Change-Id: I1887cb867627d69ade20654e5bc372b1ba1ac4e3 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1815132 Reviewed-by: Yang Guo <yangguo@chromium.org> Reviewed-by: Jakob Kummerow <jkummerow@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Cr-Commit-Position: refs/heads/master@{#63939}
2019-09-23 19:17:36 +02:00 · 2019-09-23 19:17:36 +02:00 · c199f828a8
commit c199f828a8
parent 56d694265c
3 changed files with 15 additions and 3 deletions
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@ -3092,7 +3092,6 @@ Handle<JSArrayBuffer> Factory::NewJSArrayBuffer(AllocationType allocation) {
                  isolate());
  auto result =
      Handle<JSArrayBuffer>::cast(NewJSObjectFromMap(map, allocation));
-  ZeroEmbedderFields(result);
  result->SetupEmpty(SharedFlag::kNotShared);
  return result;
 }
@ -3113,7 +3112,6 @@ MaybeHandle<JSArrayBuffer> Factory::NewJSArrayBufferAndBackingStore(
  auto array_buffer =
      Handle<JSArrayBuffer>::cast(NewJSObjectFromMap(map, allocation));
  array_buffer->Attach(std::move(backing_store));
-  ZeroEmbedderFields(array_buffer);
  return array_buffer;
 }

@ -3123,7 +3121,6 @@ Handle<JSArrayBuffer> Factory::NewJSSharedArrayBuffer() {
      isolate());
  auto result = Handle<JSArrayBuffer>::cast(
      NewJSObjectFromMap(map, AllocationType::kYoung));
-  ZeroEmbedderFields(result);
  result->SetupEmpty(SharedFlag::kShared);
  return result;
 }
@ -4170,6 +4167,7 @@ Handle<JSPromise> Factory::NewJSPromiseWithoutHook() {
  promise->set_reactions_or_result(Smi::kZero);
  promise->set_flags(0);
  ZeroEmbedderFields(promise);
+  DCHECK_EQ(promise->GetEmbedderFieldCount(), v8::Promise::kEmbedderFieldCount);
  return promise;
 }

--- a/src/objects/js-array-buffer.cc
+++ b/src/objects/js-array-buffer.cc
@ -41,6 +41,9 @@ void JSArrayBuffer::SetupEmpty(SharedFlag shared) {
  set_is_detachable(shared != SharedFlag::kShared);
  set_backing_store(nullptr);
  set_byte_length(0);
+  for (int i = 0; i < v8::ArrayBuffer::kEmbedderFieldCount; i++) {
+    SetEmbedderField(i, Smi::kZero);
+  }
 }

 void JSArrayBuffer::Detach(bool force_for_wasm_memory) {
--- a/test/cctest/test-api-array-buffer.cc
+++ b/test/cctest/test-api-array-buffer.cc
@ -503,3 +503,14 @@ THREADED_TEST(SkipArrayBufferDuringScavenge) {
  // Use `ab` to silence compiler warning
  CHECK_EQ(ab->GetBackingStore()->Data(), store_ptr);
 }
+
+THREADED_TEST(Regress1006600) {
+  LocalContext env;
+  v8::Isolate* isolate = env->GetIsolate();
+  v8::HandleScope handle_scope(isolate);
+
+  Local<v8::Value> ab = CompileRunChecked(isolate, "new ArrayBuffer()");
+  for (int i = 0; i < v8::ArrayBuffer::kEmbedderFieldCount; i++) {
+    CHECK_NULL(ab.As<v8::Object>()->GetAlignedPointerFromInternalField(i));
+  }
+}