[shared-struct] Fix PropertyArray allocation order

Bug: v8:12547, v8:13468 Change-Id: I0fb39396a32cce4f8e3934b3efee6d2bb70f9ab7 Fixed: v8:13468 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4022028 Commit-Queue: Shu-yu Guo <syg@chromium.org> Reviewed-by: Adam Klein <adamk@chromium.org> Cr-Commit-Position: refs/heads/main@{#84196}
2022-11-10 17:42:23 -08:00 · 2022-11-10 17:42:23 -08:00 · c8b70869b0
commit c8b70869b0
parent 072b3165e6
1 changed files with 15 additions and 9 deletions
--- a/src/heap/factory.cc
+++ b/src/heap/factory.cc
@ -3994,18 +3994,24 @@ Handle<JSFunction> Factory::NewFunctionForTesting(Handle<String> name) {
 Handle<JSSharedStruct> Factory::NewJSSharedStruct(
    Handle<JSFunction> constructor) {
  SharedObjectSafePublishGuard publish_guard;
+
+  Handle<Map> instance_map(constructor->initial_map(), isolate());
+  Handle<PropertyArray> property_array;
+  const int num_oob_fields =
+      instance_map->NumberOfFields(ConcurrencyMode::kSynchronous) -
+      instance_map->GetInObjectProperties();
+  if (num_oob_fields > 0) {
+    property_array =
+        NewPropertyArray(num_oob_fields, AllocationType::kSharedOld);
+  }
+
  Handle<JSSharedStruct> instance = Handle<JSSharedStruct>::cast(
      NewJSObject(constructor, AllocationType::kSharedOld));

-  Handle<Map> instance_map(instance->map(), isolate());
-  if (instance_map->HasOutOfObjectProperties()) {
-    int num_oob_fields =
-        instance_map->NumberOfFields(ConcurrencyMode::kSynchronous) -
-        instance_map->GetInObjectProperties();
-    Handle<PropertyArray> property_array =
-        NewPropertyArray(num_oob_fields, AllocationType::kSharedOld);
-    instance->SetProperties(*property_array);
-  }
+  // The struct object has not been fully initialized yet. Disallow allocation
+  // from this point on.
+  DisallowGarbageCollection no_gc;
+  if (!property_array.is_null()) instance->SetProperties(*property_array);

  return instance;
 }