Updates:
Cc: verwa...@chromium.org
Comment #5 on issue 2843 by jkumme...@chromium.org: Flaky error on the 3.20
branch
http://code.google.com/p/v8/issues/detail?id=2843
There are two aspects to this:
(1) Yes, environment liveness. This is another case where we're not
visiting the entire graph, so live ranges are screwed up. The repro case is
roughly:
function foo() { throw "HAbnormalExit"; }
function bar() {
var x = {"use_me_once": function() {}, "use_me_again": function() {} };
x.use_me_once();
foo(); // Inline this.
x.use_me_again();
}
Since the inlined foo has no reachable successor blocks, "x.use_me_again()"
is never visited during graph building, x's environment slot is zapped
before the HEnterInlined, and after foo has triggered a deopt the
unoptimized code will complain "Cannot call method 'use_me_again' of
undefined".
I'll work on a fix for this tomorrow.
(2) The method that actually gets inlined is assumed to be a constant
property guarded by a map check of its holder. Even though all holders the
function ever sees have the same map, we're sometimes putting the wrong map
in that map check (and, in consequence, also inlining the wrong function).
The failing map check then causes the deopt that exposes issue (1). This is
probably related to map deprecation and GC interaction; it is unclear
whether we can do anything about it, but I think it deserves some
investigation.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
