AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[turbofan] Fix frame state for class literal definition.

Browse Source 
This introduces a bailout point for class literals right after the
%DefineClass function has been called. Otherwise the FrameState after
class literal evaluation might contain the literal itself.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-480819
BUG=chromium:480819
LOG=N

Review URL: https://codereview.chromium.org/1104673004

Cr-Commit-Position: refs/heads/master@{#28043}
This commit is contained in:
mstarzinger 2015-04-24 04:13:13 -07:00 committed by Commit bot
parent 63f7fbfea6
commit 6b60f19168
4 changed files with 16 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/ast.h
View File

@ -2696,13 +2696,14 @@ class ClassLiteral final : public Expression {
BailoutId EntryId() const { return BailoutId(local_id(0)); }
BailoutId DeclsId() const { return BailoutId(local_id(1)); }
BailoutId ExitId() { return BailoutId(local_id(2)); }
BailoutId CreateLiteralId() const { return BailoutId(local_id(3)); }
// Return an AST id for a property that is used in simulate instructions.
BailoutId GetIdForProperty(int i) { return BailoutId(local_id(i + 3)); }
BailoutId GetIdForProperty(int i) { return BailoutId(local_id(i + 4)); }
// Unlike other AST nodes, this number of bailout IDs allocated for an
// ClassLiteral can vary, so num_ids() is not a static method.
int num_ids() const { return parent_num_ids() + 3 + properties()->length(); }
int num_ids() const { return parent_num_ids() + 4 + properties()->length(); }
protected:
ClassLiteral(Zone* zone, const AstRawString* name, Scope* scope,

3
src/compiler/ast-graph-builder.cc
View File

@ -1518,6 +1518,8 @@ void AstGraphBuilder::VisitClassLiteralContents(ClassLiteral* expr) {
Node* end = jsgraph()->Constant(expr->end_position());
const Operator* opc = javascript()->CallRuntime(Runtime::kDefineClass, 6);
Node* literal = NewNode(opc, name, extends, constructor, script, start, end);
PrepareFrameState(literal, expr->CreateLiteralId(),
OutputFrameStateCombine::Push());
// The prototype is ensured to exist by Runtime_DefineClass. No access check
// is needed here since the constructor is created by the class literal.
@ -1594,7 +1596,6 @@ void AstGraphBuilder::VisitClassLiteralContents(ClassLiteral* expr) {
BuildVariableAssignment(var, literal, Token::INIT_CONST, BailoutId::None());
}
PrepareFrameState(literal, expr->id(), ast_context()->GetStateCombine());
ast_context()->ProduceValue(literal);
}

1
src/full-codegen.cc
View File

@ -1591,6 +1591,7 @@ void FullCodeGenerator::VisitClassLiteral(ClassLiteral* lit) {
__ Push(Smi::FromInt(lit->end_position()));
__ CallRuntime(Runtime::kDefineClass, 6);
PrepareForBailoutForId(lit->CreateLiteralId(), TOS_REG);
EmitClassDefineProperties(lit);
if (lit->scope() != NULL) {

10
test/mjsunit/regress/regress-crbug-480819.js Normal file
View File

@ -0,0 +1,10 @@
// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --turbo-filter=* --always-opt --turbo-deoptimization --noanalyze-environment-liveness
(function() {
"use strict";
class C1 {}
})();