From f7e484ee29b8b60fc115649101bdad2d07fbb3f1 Mon Sep 17 00:00:00 2001
From: Ulan Degenbaev <ulan@chromium.org>
Date: Mon, 9 Nov 2020 17:05:56 +0100
Subject: [PATCH] [heap] Fix a data race in a DCHECK in
 FreeLinearAllocationArea
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The function was using an non-atomic marking state to check the color
of the object. This is incorrect because concurrent marking may be
running while the linear allocation area is freed.

Bug: chromium:1139165
Change-Id: I20ef22908dfd8dcd75858707e884e87658dcb1cb
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2526391
Auto-Submit: Ulan Degenbaev <ulan@chromium.org>
Reviewed-by: Dominik Inführ <dinfuehr@chromium.org>
Commit-Queue: Dominik Inführ <dinfuehr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#71057}
---
 src/heap/paged-spaces.cc | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/heap/paged-spaces.cc b/src/heap/paged-spaces.cc
index 84bcf7618b..ff6b390ccf 100644
--- a/src/heap/paged-spaces.cc
+++ b/src/heap/paged-spaces.cc
@@ -435,10 +435,9 @@ void PagedSpace::FreeLinearAllocationArea() {
         MemoryChunk::FromAddress(current_top));
   }
 
-  DCHECK_IMPLIES(
-      current_limit - current_top >= 2 * kTaggedSize,
-      heap()->incremental_marking()->non_atomic_marking_state()->IsWhite(
-          HeapObject::FromAddress(current_top)));
+  DCHECK_IMPLIES(current_limit - current_top >= 2 * kTaggedSize,
+                 heap()->incremental_marking()->marking_state()->IsWhite(
+                     HeapObject::FromAddress(current_top)));
   Free(current_top, current_limit - current_top,
        SpaceAccountingMode::kSpaceAccounted);
 }