Version 3.30.33.8 (cherry-pick)

Merged 65f4716b3fe8ccbb879e11312b565f6cc3a85fab

Handle store buffer slot overwrite during object promotion.

R=jarin@chromium.org
BUG=

Review URL: https://codereview.chromium.org/774153002

Cr-Commit-Position: refs/branch-heads/3.30@{#25262}

2 files changed, 12 insertions, 2 deletions

diff --git a/src/heap/heap.cc b/src/heap/heap.cc
index 5c8cd4528..c4eed9ce2 100644
--- a/src/heap/heap.cc
+++ b/src/heap/heap.cc
@@ -2038,7 +2038,17 @@ class ScavengingVisitor : public StaticVisitorBase {
       // Order is important: slot might be inside of the target if target
       // was allocated over a dead object and slot comes from the store
       // buffer.
-      *slot = target;
+
+      // Unfortunately, the allocation can also write over the slot if the slot
+      // was in free space and the allocation wrote free list data (such as the
+      // free list map or entry size) over the slot.  We guard against this by
+      // checking that the slot still points to the object being moved.  This
+      // should be sufficient because neither the free list map nor the free
+      // list entry size should look like a new space pointer (the former is an
+      // old space pointer, the latter is word-aligned).
+      if (*slot == object) {
+        *slot = target;
+      }
       MigrateObject(heap, object, target, object_size);
 
       if (object_contents == POINTER_OBJECT) {
diff --git a/src/version.cc b/src/version.cc
index 258d7593c..0e3a188f5 100644
--- a/src/version.cc
+++ b/src/version.cc
@@ -35,7 +35,7 @@
 #define MAJOR_VERSION     3
 #define MINOR_VERSION     30
 #define BUILD_NUMBER      33
-#define PATCH_LEVEL       7
+#define PATCH_LEVEL       8
 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
 #define IS_CANDIDATE_VERSION 0