AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity

[crankshaft] Fix environment handling after leaving inlined tail call.

Browse Source 
BUG=chromium:537444, v8:4698
LOG=N
TBR=bmeurer@chromium.org

Review URL: https://codereview.chromium.org/1859763005

Cr-Commit-Position: refs/heads/master@{#35253}
This commit is contained in:
ishell 2016-04-05 02:42:24 -07:00 committed by Commit bot
parent 1354b1bf37
commit 792bf2a093
5 changed files with 39 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/crankshaft/hydrogen.cc
View File

@ -13162,6 +13162,11 @@ void HEnvironment::MarkAsTailCaller() {
frame_type_ = TAIL_CALLER_FUNCTION; frame_type_ = TAIL_CALLER_FUNCTION;
} }
void HEnvironment::ClearTailCallerMark() {
DCHECK_EQ(TAIL_CALLER_FUNCTION, frame_type());
frame_type_ = JS_FUNCTION;
}
HEnvironment* HEnvironment::CopyForInlining( HEnvironment* HEnvironment::CopyForInlining(
Handle<JSFunction> target, int arguments, FunctionLiteral* function, Handle<JSFunction> target, int arguments, FunctionLiteral* function,
HConstant* undefined, InliningKind inlining_kind, HConstant* undefined, InliningKind inlining_kind,

4
src/crankshaft/hydrogen.h
View File

@ -625,6 +625,9 @@ class HEnvironment final : public ZoneObject {
outer = outer->outer_; outer = outer->outer_;
} }
if (drop_extra) outer->Drop(1); if (drop_extra) outer->Drop(1);
if (outer->frame_type() == TAIL_CALLER_FUNCTION) {
outer->ClearTailCallerMark();
}
return outer; return outer;
} }
@ -685,6 +688,7 @@ class HEnvironment final : public ZoneObject {
// Marks current environment as tail caller by setting frame type to // Marks current environment as tail caller by setting frame type to
// TAIL_CALLER_FUNCTION. // TAIL_CALLER_FUNCTION.
void MarkAsTailCaller(); void MarkAsTailCaller();
void ClearTailCallerMark();
// True if index is included in the expression stack part of the environment. // True if index is included in the expression stack part of the environment.
bool HasExpressionAt(int index) const; bool HasExpressionAt(int index) const;

1
src/crankshaft/lithium.cc
View File

@ -512,6 +512,7 @@ LInstruction* LChunkBuilderBase::AssignEnvironment(LInstruction* instr,
HEnvironment* hydrogen_env) { HEnvironment* hydrogen_env) {
int argument_index_accumulator = 0; int argument_index_accumulator = 0;
ZoneList<HValue*> objects_to_materialize(0, zone()); ZoneList<HValue*> objects_to_materialize(0, zone());
DCHECK_NE(TAIL_CALLER_FUNCTION, hydrogen_env->frame_type());
instr->set_environment(CreateEnvironment( instr->set_environment(CreateEnvironment(
hydrogen_env, &argument_index_accumulator, &objects_to_materialize)); hydrogen_env, &argument_index_accumulator, &objects_to_materialize));
return instr; return instr;

2
src/deoptimizer.cc
View File

@ -1430,7 +1430,7 @@ void Deoptimizer::DoComputeTailCallerFrame(TranslatedFrame* translated_frame,
bool is_bottommost = (0 == frame_index); bool is_bottommost = (0 == frame_index);
// Tail caller frame can't be topmost. // Tail caller frame can't be topmost.
DCHECK_NE(output_count_ - 1, frame_index); CHECK_NE(output_count_ - 1, frame_index);
if (trace_scope_ != NULL) { if (trace_scope_ != NULL) {
PrintF(trace_scope_->file(), " translating tail caller frame "); PrintF(trace_scope_->file(), " translating tail caller frame ");

28
test/mjsunit/regress/regress-crbug-537444.js Normal file
View File

@ -0,0 +1,28 @@
// Copyright 2016 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --harmony-tailcalls --allow-natives-syntax
"use strict";
function f(x) {
return x;
}
function g(x) {
return false ? 0 : f(x, 1);
}
function h(x) {
var z = g(x, 1);
return z + 1;
}
%SetForceInlineFlag(g);
%SetForceInlineFlag(f);
h(1);
h(1);
%OptimizeFunctionOnNextCall(h);
h("a");