AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[compiler] Unpark local heap in more places

Browse Source 
Bug: chromium:1127405, v8:7790
Change-Id: Ibba029725b46c691b7848b0a092f0159259651c6
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2410381
Reviewed-by: Santiago Aboy Solanes <solanes@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69887}
This commit is contained in:
Georg Neis 2020-09-14 17:27:29 +02:00 committed by Commit Bot
parent c84ca9c480
commit 241c8fa48f
2 changed files with 36 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/compiler/pipeline.cc
View File

@ -1605,6 +1605,7 @@ struct TypedLoweringPhase {
data->broker(), data->common(),
data->machine(), temp_zone);
AddReducer(data, &graph_reducer, &dead_code_elimination);
if (!data->info()->IsNativeContextIndependent()) {
AddReducer(data, &graph_reducer, &create_lowering);
}
@ -1614,8 +1615,11 @@ struct TypedLoweringPhase {
AddReducer(data, &graph_reducer, &simple_reducer);
AddReducer(data, &graph_reducer, &checkpoint_elimination);
AddReducer(data, &graph_reducer, &common_reducer);
// JSCreateLowering accesses the heap and therefore we need to unpark it.
// ConstantFoldingReducer, JSCreateLowering, JSTypedLowering, and
// TypedOptimization access the heap.
UnparkedScopeIfNeeded scope(data->broker());
graph_reducer.ReduceGraph();
}
};
@ -1628,13 +1632,19 @@ struct EscapeAnalysisPhase {
EscapeAnalysis escape_analysis(data->jsgraph(),
&data->info()->tick_counter(), temp_zone);
escape_analysis.ReduceGraph();
GraphReducer reducer(temp_zone, data->graph(),
&data->info()->tick_counter(), data->broker(),
data->jsgraph()->Dead());
EscapeAnalysisReducer escape_reducer(&reducer, data->jsgraph(),
escape_analysis.analysis_result(),
temp_zone);
AddReducer(data, &reducer, &escape_reducer);
// EscapeAnalysisReducer accesses the heap.
UnparkedScopeIfNeeded scope(data->broker());
reducer.ReduceGraph();
// TODO(tebbi): Turn this into a debug mode check once we have confidence.
escape_reducer.VerifyReplacement();
@ -1664,8 +1674,9 @@ struct SimplifiedLoweringPhase {
data->info()->GetPoisoningMitigationLevel(),
&data->info()->tick_counter());
// RepresentationChanger needs the LocalHeap unparked.
// RepresentationChanger accesses the heap.
UnparkedScopeIfNeeded scope(data->broker());
lowering.LowerAllNodes();
}
};
@ -1845,6 +1856,7 @@ struct LoadEliminationPhase {
&graph_reducer, data->jsgraph(), data->broker());
TypeNarrowingReducer type_narrowing_reducer(&graph_reducer, data->jsgraph(),
data->broker());
AddReducer(data, &graph_reducer, &branch_condition_elimination);
AddReducer(data, &graph_reducer, &dead_code_elimination);
AddReducer(data, &graph_reducer, &redundancy_elimination);
@ -1855,6 +1867,10 @@ struct LoadEliminationPhase {
AddReducer(data, &graph_reducer, &checkpoint_elimination);
AddReducer(data, &graph_reducer, &common_reducer);
AddReducer(data, &graph_reducer, &value_numbering);
// ConstantFoldingReducer and TypedOptimization access the heap.
UnparkedScopeIfNeeded scope(data->broker());
graph_reducer.ReduceGraph();
}
};

18
test/mjsunit/compiler/regress-1127405.js Normal file
View File

@ -0,0 +1,18 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
// Flags: --no-analyze-environment-liveness --no-use-ic --assert-types
const symbol = Symbol();
function foo(x) {
try { x[symbol] = 42 } catch (e) {}
new Number();
}
%PrepareFunctionForOptimization(foo);
foo({});
%OptimizeFunctionOnNextCall(foo);
foo({});