Version 3.30.33.8 (cherry-pick)
Merged 65f4716b3fe8ccbb879e11312b565f6cc3a85fab
Handle store buffer slot overwrite during object promotion.
R=jarin@chromium.org
BUG=
Review URL: https://codereview.chromium.org/774153002
Cr-Commit-Position: refs/branch-heads/3.30@{#25262}
diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index 5c8cd45..c4eed9c 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -2038,7 +2038,17 @@
// Order is important: slot might be inside of the target if target
// was allocated over a dead object and slot comes from the store
// buffer.
- *slot = target;
+
+ // Unfortunately, the allocation can also write over the slot if the slot
+ // was in free space and the allocation wrote free list data (such as the
+ // free list map or entry size) over the slot. We guard against this by
+ // checking that the slot still points to the object being moved. This
+ // should be sufficient because neither the free list map nor the free
+ // list entry size should look like a new space pointer (the former is an
+ // old space pointer, the latter is word-aligned).
+ if (*slot == object) {
+ *slot = target;
+ }
MigrateObject(heap, object, target, object_size);
if (object_contents == POINTER_OBJECT) {
diff --git a/src/version.cc b/src/version.cc
index 258d759..0e3a188 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
#define MAJOR_VERSION 3
#define MINOR_VERSION 30
#define BUILD_NUMBER 33
-#define PATCH_LEVEL 7
+#define PATCH_LEVEL 8
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
#define IS_CANDIDATE_VERSION 0