Reviewers: bmeuer_chromium.org,
Message:
Hi Benedikt,
ClusterFuzz found an issue in the type feedback vector implementation. I've
profitably reduced it's test case to a cctest. PTAL, thanks!
--Michael
Description:
Fix for bug 351257: type feedback vector initialization issue.
The feedback vector is stored in the shared function info, and there
is an effort to reuse it when re-running full code generation as a
prelude to creating optimized code. However we shouldn't reuse the
vector for lazily compiled methods on first compile, as scoping analysis
can change the allocation of vector slots.
BUG=351257
LOG=N
[email protected]
Please review this at https://codereview.chromium.org/196723003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+42, -7 lines):
M src/compiler.cc
M test/cctest/test-compiler.cc
Index: src/compiler.cc
diff --git a/src/compiler.cc b/src/compiler.cc
index
89864e049ba49fdad495cd2172abf3a347e1fc19..66b950bcb918d220702425e8101869aaf1ffc73a
100644
--- a/src/compiler.cc
+++ b/src/compiler.cc
@@ -142,13 +142,11 @@ void CompilationInfo::Initialize(Isolate* isolate,
}
set_bailout_reason(kUnknown);
- if (!shared_info().is_null()) {
- FixedArray* info_feedback_vector = shared_info()->feedback_vector();
- if (info_feedback_vector->length() > 0) {
- // We should initialize the CompilationInfo feedback vector from the
- // passed in shared info, rather than creating a new one.
- feedback_vector_ = Handle<FixedArray>(info_feedback_vector, isolate);
- }
+ if (!shared_info().is_null() && shared_info()->is_compiled()) {
+ // We should initialize the CompilationInfo feedback vector from the
+ // passed in shared info, rather than creating a new one.
+ feedback_vector_ = Handle<FixedArray>(shared_info()->feedback_vector(),
+ isolate);
}
}
Index: test/cctest/test-compiler.cc
diff --git a/test/cctest/test-compiler.cc b/test/cctest/test-compiler.cc
index
2947658b59f5bd8d480654699f5ca80835d2d286..1a6f69c586a556c01dfbab6a21cc051abff8c946
100644
--- a/test/cctest/test-compiler.cc
+++ b/test/cctest/test-compiler.cc
@@ -347,6 +347,43 @@ TEST(FeedbackVectorPreservedAcrossRecompiles) {
}
+TEST(FeedbackVectorRecreatedOnScopeChanges) {
+ if (i::FLAG_always_opt || !i::FLAG_lazy) return;
+ CcTest::InitializeVM();
+ v8::HandleScope scope(CcTest::isolate());
+
+ CompileRun("function builder() {"
+ " call_target = function() { return 3; };"
+ " return (function() {"
+ " eval('');"
+ " return function() {"
+ " 'use strict';"
+ " call_target();"
+ " }"
+ " })();"
+ "}"
+ "morphing_call = builder();");
+
+ Handle<JSFunction> f =
+ v8::Utils::OpenHandle(
+ *v8::Handle<v8::Function>::Cast(
+ CcTest::global()->Get(v8_str("morphing_call"))));
+
+ // morphing_call should have one feedback vector slot for the call to
+ // call_target(), scoping analysis having been performed.
+ CHECK_EQ(1, f->shared()->feedback_vector()->length());
+ // And yet it's not compiled.
+ CHECK(!f->shared()->is_compiled());
+
+ CompileRun("morphing_call();");
+
+ // On scoping analysis after lazy compile, the call is now a global
+ // call which needs no feedback vector slot.
+ CHECK_EQ(0, f->shared()->feedback_vector()->length());
+ CHECK(f->shared()->is_compiled());
+}
+
+
// Test that optimized code for different closures is actually shared
// immediately by the FastNewClosureStub when run in the same context.
TEST(OptimizedCodeSharing) {
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
