[turbofan] Fix memory corruption with VirtualBoundFunctions

Bug: chromium:1018565 Change-Id: I72d41573a9a8c2f1a235ff50e918f89b1dc3f585 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879904 Commit-Queue: Maya Lekova <mslekova@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#64588}
2019-10-28 13:34:26 +01:00 · 2019-10-28 13:34:26 +01:00 · 48fb778e2d
commit 48fb778e2d
parent d4574d186f
2 changed files with 36 additions and 6 deletions
--- a/src/compiler/serializer-for-background-compilation.cc
+++ b/src/compiler/serializer-for-background-compilation.cc
@ -734,14 +734,11 @@ void Hints::AddFromChildSerializer(const Hints& other, Zone* zone) {
  for (auto x : other.constants()) AddConstant(x, zone);
  for (auto x : other.maps()) AddMap(x, zone);
  for (auto x : other.virtual_contexts()) AddVirtualContext(x, zone);
-  for (auto x : other.virtual_bound_functions()) {
-    AddVirtualBoundFunction(x, zone);
-  }

  // Adding hints from a child serializer run means copying data out from
-  // a zone that's being destroyed. FunctionBlueprints have zone allocated
-  // data, so we've got to make a deep copy to eliminate traces of the
-  // dying zone.
+  // a zone that's being destroyed. FunctionBlueprints and VirtualBoundFunction
+  // have zone allocated data, so we've got to make a deep copy to eliminate
+  // traces of the dying zone.
  for (auto x : other.function_blueprints()) {
    Hints new_blueprint_hints;
    new_blueprint_hints.AddFromChildSerializer(x.context_hints(), zone);
@ -749,6 +746,19 @@ void Hints::AddFromChildSerializer(const Hints& other, Zone* zone) {
                                    new_blueprint_hints);
    AddFunctionBlueprint(new_blueprint, zone);
  }
+  for (auto x : other.virtual_bound_functions()) {
+    Hints new_target_hints;
+    new_target_hints.AddFromChildSerializer(x.bound_target, zone);
+    HintsVector new_arguments_hints(zone);
+    for (auto hint : x.bound_arguments) {
+      Hints new_arg_hints;
+      new_arg_hints.AddFromChildSerializer(hint, zone);
+      new_arguments_hints.push_back(new_arg_hints);
+    }
+    VirtualBoundFunction new_bound_function(new_target_hints,
+                                            new_arguments_hints);
+    AddVirtualBoundFunction(new_bound_function, zone);
+  }
 }

 bool Hints::IsEmpty() const {
--- a/test/mjsunit/compiler/regress-bound-functions.js
+++ b/test/mjsunit/compiler/regress-bound-functions.js
@ -0,0 +1,20 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  return Array.prototype.sort.bind([]);
+}
+
+function bar() {
+  return foo();
+}
+
+%PrepareFunctionForOptimization(foo);
+%PrepareFunctionForOptimization(bar);
+bar();
+bar();
+%OptimizeFunctionOnNextCall(bar);
+bar();