[deoptimizer] Materialize JSFunction objects without context.

This fixes the materialization of JSFunction objects to not rely on a context being available. The context has been cleared because it might be de-materiallized itself. R=bmeurer@chromium.org TEST=mjsunit/compiler/escape-analysis-materialize BUG=chromium:644245 Review-Url: https://codereview.chromium.org/2320983002 Cr-Commit-Position: refs/heads/master@{#39277}
2016-09-08 05:15:32 -07:00 · 2016-09-08 05:15:32 -07:00 · 9d6872cdf1
commit 9d6872cdf1
parent 4ef7e3e7c7
2 changed files with 35 additions and 5 deletions
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@ -3774,14 +3774,15 @@ Handle<Object> TranslatedState::MaterializeAt(int frame_index,
          return object;
        }
        case JS_FUNCTION_TYPE: {
+          Handle<SharedFunctionInfo> temporary_shared =
+              isolate_->factory()->NewSharedFunctionInfo(
+                  isolate_->factory()->empty_string(), MaybeHandle<Code>(),
+                  false);
          Handle<JSFunction> object =
              isolate_->factory()->NewFunctionFromSharedFunctionInfo(
-                  handle(isolate_->object_function()->shared()),
-                  handle(isolate_->context()));
+                  map, temporary_shared, isolate_->factory()->undefined_value(),
+                  NOT_TENURED);
          slot->value_ = object;
-          // We temporarily allocated a JSFunction for the {Object} function
-          // within the current context, to break cycles in the object graph.
-          // The correct function and context will be set below once available.
          Handle<Object> properties = MaterializeAt(frame_index, value_index);
          Handle<Object> elements = MaterializeAt(frame_index, value_index);
          Handle<Object> prototype = MaterializeAt(frame_index, value_index);
--- a/test/mjsunit/compiler/escape-analysis-materialize.js
+++ b/test/mjsunit/compiler/escape-analysis-materialize.js
@ -0,0 +1,29 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo --turbo-escape
+
+(function TestMaterializeArray() {
+  function f() {
+    var a = [1,2,3];
+    %_DeoptimizeNow();
+    return a.length;
+  }
+  assertEquals(3, f());
+  assertEquals(3, f());
+  %OptimizeFunctionOnNextCall(f);
+  assertEquals(3, f());
+})();
+
+(function TestMaterializeFunction() {
+  function g() {
+    function fun(a, b) {}
+    %_DeoptimizeNow();
+    return fun.length;
+  }
+  assertEquals(2, g());
+  assertEquals(2, g());
+  %OptimizeFunctionOnNextCall(g);
+  assertEquals(2, g());
+})();