From 6b60f191687d645f44c9050d29bd6573c3c9ef8c Mon Sep 17 00:00:00 2001 From: mstarzinger Date: Fri, 24 Apr 2015 04:13:13 -0700 Subject: [PATCH] [turbofan] Fix frame state for class literal definition. This introduces a bailout point for class literals right after the %DefineClass function has been called. Otherwise the FrameState after class literal evaluation might contain the literal itself. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-480819 BUG=chromium:480819 LOG=N Review URL: https://codereview.chromium.org/1104673004 Cr-Commit-Position: refs/heads/master@{#28043} --- src/ast.h | 5 +++-- src/compiler/ast-graph-builder.cc | 3 ++- src/full-codegen.cc | 1 + test/mjsunit/regress/regress-crbug-480819.js | 10 ++++++++++ 4 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-480819.js diff --git a/src/ast.h b/src/ast.h index 5a89cda12f..330aa9eec7 100644 --- a/src/ast.h +++ b/src/ast.h @@ -2696,13 +2696,14 @@ class ClassLiteral final : public Expression { BailoutId EntryId() const { return BailoutId(local_id(0)); } BailoutId DeclsId() const { return BailoutId(local_id(1)); } BailoutId ExitId() { return BailoutId(local_id(2)); } + BailoutId CreateLiteralId() const { return BailoutId(local_id(3)); } // Return an AST id for a property that is used in simulate instructions. - BailoutId GetIdForProperty(int i) { return BailoutId(local_id(i + 3)); } + BailoutId GetIdForProperty(int i) { return BailoutId(local_id(i + 4)); } // Unlike other AST nodes, this number of bailout IDs allocated for an // ClassLiteral can vary, so num_ids() is not a static method. - int num_ids() const { return parent_num_ids() + 3 + properties()->length(); } + int num_ids() const { return parent_num_ids() + 4 + properties()->length(); } protected: ClassLiteral(Zone* zone, const AstRawString* name, Scope* scope, diff --git a/src/compiler/ast-graph-builder.cc b/src/compiler/ast-graph-builder.cc index d299aec2ac..9dd11b8770 100644 --- a/src/compiler/ast-graph-builder.cc +++ b/src/compiler/ast-graph-builder.cc @@ -1518,6 +1518,8 @@ void AstGraphBuilder::VisitClassLiteralContents(ClassLiteral* expr) { Node* end = jsgraph()->Constant(expr->end_position()); const Operator* opc = javascript()->CallRuntime(Runtime::kDefineClass, 6); Node* literal = NewNode(opc, name, extends, constructor, script, start, end); + PrepareFrameState(literal, expr->CreateLiteralId(), + OutputFrameStateCombine::Push()); // The prototype is ensured to exist by Runtime_DefineClass. No access check // is needed here since the constructor is created by the class literal. @@ -1594,7 +1596,6 @@ void AstGraphBuilder::VisitClassLiteralContents(ClassLiteral* expr) { BuildVariableAssignment(var, literal, Token::INIT_CONST, BailoutId::None()); } - PrepareFrameState(literal, expr->id(), ast_context()->GetStateCombine()); ast_context()->ProduceValue(literal); } diff --git a/src/full-codegen.cc b/src/full-codegen.cc index 08fe7a7844..3386ce12e5 100644 --- a/src/full-codegen.cc +++ b/src/full-codegen.cc @@ -1591,6 +1591,7 @@ void FullCodeGenerator::VisitClassLiteral(ClassLiteral* lit) { __ Push(Smi::FromInt(lit->end_position())); __ CallRuntime(Runtime::kDefineClass, 6); + PrepareForBailoutForId(lit->CreateLiteralId(), TOS_REG); EmitClassDefineProperties(lit); if (lit->scope() != NULL) { diff --git a/test/mjsunit/regress/regress-crbug-480819.js b/test/mjsunit/regress/regress-crbug-480819.js new file mode 100644 index 0000000000..8d3b7eed60 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-480819.js @@ -0,0 +1,10 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --turbo-filter=* --always-opt --turbo-deoptimization --noanalyze-environment-liveness + +(function() { + "use strict"; + class C1 {} +})();