From 792bf2a0933ded1b66f1db219be7f27fe8b9ad99 Mon Sep 17 00:00:00 2001 From: ishell Date: Tue, 5 Apr 2016 02:42:24 -0700 Subject: [PATCH] [crankshaft] Fix environment handling after leaving inlined tail call. BUG=chromium:537444, v8:4698 LOG=N TBR=bmeurer@chromium.org Review URL: https://codereview.chromium.org/1859763005 Cr-Commit-Position: refs/heads/master@{#35253} --- src/crankshaft/hydrogen.cc | 5 ++++ src/crankshaft/hydrogen.h | 4 +++ src/crankshaft/lithium.cc | 1 + src/deoptimizer.cc | 2 +- test/mjsunit/regress/regress-crbug-537444.js | 28 ++++++++++++++++++++ 5 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-crbug-537444.js diff --git a/src/crankshaft/hydrogen.cc b/src/crankshaft/hydrogen.cc index 2ce6aa9063..38a9fd0ad8 100644 --- a/src/crankshaft/hydrogen.cc +++ b/src/crankshaft/hydrogen.cc @@ -13162,6 +13162,11 @@ void HEnvironment::MarkAsTailCaller() { frame_type_ = TAIL_CALLER_FUNCTION; } +void HEnvironment::ClearTailCallerMark() { + DCHECK_EQ(TAIL_CALLER_FUNCTION, frame_type()); + frame_type_ = JS_FUNCTION; +} + HEnvironment* HEnvironment::CopyForInlining( Handle target, int arguments, FunctionLiteral* function, HConstant* undefined, InliningKind inlining_kind, diff --git a/src/crankshaft/hydrogen.h b/src/crankshaft/hydrogen.h index 2b40069363..10c0baa29d 100644 --- a/src/crankshaft/hydrogen.h +++ b/src/crankshaft/hydrogen.h @@ -625,6 +625,9 @@ class HEnvironment final : public ZoneObject { outer = outer->outer_; } if (drop_extra) outer->Drop(1); + if (outer->frame_type() == TAIL_CALLER_FUNCTION) { + outer->ClearTailCallerMark(); + } return outer; } @@ -685,6 +688,7 @@ class HEnvironment final : public ZoneObject { // Marks current environment as tail caller by setting frame type to // TAIL_CALLER_FUNCTION. void MarkAsTailCaller(); + void ClearTailCallerMark(); // True if index is included in the expression stack part of the environment. bool HasExpressionAt(int index) const; diff --git a/src/crankshaft/lithium.cc b/src/crankshaft/lithium.cc index 3b25081f55..3dff459a54 100644 --- a/src/crankshaft/lithium.cc +++ b/src/crankshaft/lithium.cc @@ -512,6 +512,7 @@ LInstruction* LChunkBuilderBase::AssignEnvironment(LInstruction* instr, HEnvironment* hydrogen_env) { int argument_index_accumulator = 0; ZoneList objects_to_materialize(0, zone()); + DCHECK_NE(TAIL_CALLER_FUNCTION, hydrogen_env->frame_type()); instr->set_environment(CreateEnvironment( hydrogen_env, &argument_index_accumulator, &objects_to_materialize)); return instr; diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc index 2c330e378d..a8405daee3 100644 --- a/src/deoptimizer.cc +++ b/src/deoptimizer.cc @@ -1430,7 +1430,7 @@ void Deoptimizer::DoComputeTailCallerFrame(TranslatedFrame* translated_frame, bool is_bottommost = (0 == frame_index); // Tail caller frame can't be topmost. - DCHECK_NE(output_count_ - 1, frame_index); + CHECK_NE(output_count_ - 1, frame_index); if (trace_scope_ != NULL) { PrintF(trace_scope_->file(), " translating tail caller frame "); diff --git a/test/mjsunit/regress/regress-crbug-537444.js b/test/mjsunit/regress/regress-crbug-537444.js new file mode 100644 index 0000000000..1cb1f9ad92 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-537444.js @@ -0,0 +1,28 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --harmony-tailcalls --allow-natives-syntax + +"use strict"; + +function f(x) { + return x; +} + +function g(x) { + return false ? 0 : f(x, 1); +} + +function h(x) { + var z = g(x, 1); + return z + 1; +} + +%SetForceInlineFlag(g); +%SetForceInlineFlag(f); + +h(1); +h(1); +%OptimizeFunctionOnNextCall(h); +h("a");