diff options
| author | Ulan Degenbaev <ulan@chromium.org> | 2020-02-14 17:19:17 +0100 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-05 09:49:41 +0000 |
| commit | 24581ca7dde88e3faed1fe085c09f0d7ba635320 (patch) | |
| tree | b4ff90ffbe4d9402b5f1ea5cf67b8be13dc7de7d | |
| parent | a7d90c1eadc5e59f2a3335de324fc0778e5557f1 (diff) | |
| download | qtwebengine-chromium-24581ca7dde88e3faed1fe085c09f0d7ba635320.tar.gz | |
[Backport] Security bug 1040700
Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2056850:
Merged: [heap] Fix data race in Sweeper::MakeIterable
Revision: 31d36add8c5970078feba27b9791033aee107b2f
BUG=chromium:1040700
Change-Id: If3d88e1c93b5b2e9c07fb3e51f0a5ff00573e130
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/v8/src/heap/sweeper.cc | 8 | ||||
| -rw-r--r-- | chromium/v8/src/heap/sweeper.h | 3 |
2 files changed, 7 insertions, 4 deletions
diff --git a/chromium/v8/src/heap/sweeper.cc b/chromium/v8/src/heap/sweeper.cc index cbb7d717b07..962f9ef6645 100644 --- a/chromium/v8/src/heap/sweeper.cc +++ b/chromium/v8/src/heap/sweeper.cc @@ -242,7 +242,8 @@ void Sweeper::EnsureCompleted() { bool Sweeper::AreSweeperTasksRunning() { return num_sweeping_tasks_ != 0; } int Sweeper::RawSweep(Page* p, FreeListRebuildingMode free_list_mode, - FreeSpaceTreatmentMode free_space_mode) { + FreeSpaceTreatmentMode free_space_mode, + const base::MutexGuard& page_guard) { Space* space = p->owner(); DCHECK_NOT_NULL(space); DCHECK(free_list_mode == IGNORE_FREE_LIST || space->identity() == OLD_SPACE || @@ -430,7 +431,7 @@ int Sweeper::ParallelSweepPage(Page* page, AllocationSpace identity) { page->set_concurrent_sweeping_state(Page::kSweepingInProgress); const FreeSpaceTreatmentMode free_space_mode = Heap::ShouldZapGarbage() ? ZAP_FREE_SPACE : IGNORE_FREE_SPACE; - max_freed = RawSweep(page, REBUILD_FREE_LIST, free_space_mode); + max_freed = RawSweep(page, REBUILD_FREE_LIST, free_space_mode, guard); DCHECK(page->SweepingDone()); // After finishing sweeping of a page we clean up its remembered set. @@ -583,10 +584,11 @@ void Sweeper::AddPageForIterability(Page* page) { } void Sweeper::MakeIterable(Page* page) { + base::MutexGuard guard(page->mutex()); DCHECK(IsValidIterabilitySpace(page->owner_identity())); const FreeSpaceTreatmentMode free_space_mode = Heap::ShouldZapGarbage() ? ZAP_FREE_SPACE : IGNORE_FREE_SPACE; - RawSweep(page, IGNORE_FREE_LIST, free_space_mode); + RawSweep(page, IGNORE_FREE_LIST, free_space_mode, guard); } } // namespace internal diff --git a/chromium/v8/src/heap/sweeper.h b/chromium/v8/src/heap/sweeper.h index 97de7a028d1..f56708f3f8f 100644 --- a/chromium/v8/src/heap/sweeper.h +++ b/chromium/v8/src/heap/sweeper.h @@ -90,7 +90,8 @@ class Sweeper { void ScheduleIncrementalSweepingTask(); int RawSweep(Page* p, FreeListRebuildingMode free_list_mode, - FreeSpaceTreatmentMode free_space_mode); + FreeSpaceTreatmentMode free_space_mode, + const base::MutexGuard& page_guard); // After calling this function sweeping is considered to be in progress // and the main thread can sweep lazily, but the background sweeper tasks |