diff --git a/src/objects.cc b/src/objects.cc index 50551dba8f..96b1031c39 100644 --- a/src/objects.cc +++ b/src/objects.cc @@ -16132,7 +16132,6 @@ void JSArrayBuffer::Setup(Handle array_buffer, Isolate* isolate, for (int i = 0; i < v8::ArrayBuffer::kInternalFieldCount; i++) { array_buffer->SetInternalField(i, Smi::FromInt(0)); } - array_buffer->set_backing_store(data); array_buffer->set_bit_field(0); array_buffer->set_is_external(is_external); array_buffer->set_is_neuterable(shared == SharedFlag::kNotShared); @@ -16142,6 +16141,11 @@ void JSArrayBuffer::Setup(Handle array_buffer, Isolate* isolate, isolate->factory()->NewNumberFromSize(allocated_length); CHECK(byte_length->IsSmi() || byte_length->IsHeapNumber()); array_buffer->set_byte_length(*byte_length); + // Initialize backing store at last to avoid handling of |JSArrayBuffers| that + // are currently being constructed in the |ArrayBufferTracker|. The + // registration method below handles the case of registering a buffer that has + // already been promoted. + array_buffer->set_backing_store(data); if (data && !is_external) { isolate->heap()->RegisterNewArrayBuffer(*array_buffer); @@ -16191,8 +16195,15 @@ Handle JSTypedArray::MaterializeArrayBuffer( void* backing_store = isolate->array_buffer_allocator()->AllocateUninitialized( fixed_typed_array->DataSize()); - buffer->set_backing_store(backing_store); buffer->set_is_external(false); + DCHECK(buffer->byte_length()->IsSmi() || + buffer->byte_length()->IsHeapNumber()); + DCHECK(NumberToInt32(buffer->byte_length()) == fixed_typed_array->DataSize()); + // Initialize backing store at last to avoid handling of |JSArrayBuffers| that + // are currently being constructed in the |ArrayBufferTracker|. The + // registration method below handles the case of registering a buffer that has + // already been promoted. + buffer->set_backing_store(backing_store); isolate->heap()->RegisterNewArrayBuffer(*buffer); memcpy(buffer->backing_store(), fixed_typed_array->DataPtr(),