Extra code to diagnose a crash bug.

This will catch an invalid receiver before being passed to a load ic miss handler in the runtime. BUG= R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/1351493002 Cr-Commit-Position: refs/heads/master@{#30768}
2015-09-16 08:38:37 -07:00 · 2015-09-16 08:38:37 -07:00 · afba4792df
commit afba4792df
parent b5588f48fd
12 changed files with 57 additions and 17 deletions
--- a/src/builtins.cc
+++ b/src/builtins.cc
@ -1739,7 +1739,7 @@ BUILTIN(HandleApiCallAsConstructor) {


 static void Generate_LoadIC_Miss(MacroAssembler* masm) {
-  LoadIC::GenerateMiss(masm);
+  LoadIC::GenerateMiss(masm, LoadIC::kStressBuiltin);
 }


--- a/src/full-codegen/x64/full-codegen-x64.cc
+++ b/src/full-codegen/x64/full-codegen-x64.cc
@ -2262,14 +2262,15 @@ void FullCodeGenerator::EmitNamedPropertyLoad(Property* prop) {
  if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {
    __ Pop(LoadDescriptor::ReceiverRegister());

-    Label ok;
+    Label ok, sound_alarm;
    __ JumpIfSmi(rax, &ok, Label::kNear);
    __ movp(rbx, FieldOperand(rax, HeapObject::kMapOffset));
-    __ CmpInstanceType(rbx, LAST_PRIMITIVE_TYPE);
-    __ j(below_equal, &ok, Label::kNear);
-    __ CmpInstanceType(rbx, FIRST_JS_RECEIVER_TYPE);
-    __ j(above_equal, &ok, Label::kNear);
+    __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
+    __ j(equal, &sound_alarm);
+    __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
+    __ j(not_equal, &ok, Label::kNear);

+    __ bind(&sound_alarm);
    __ Push(Smi::FromInt(0xaabbccdd));
    __ Push(LoadDescriptor::ReceiverRegister());
    __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),
--- a/src/ic/arm/ic-arm.cc
+++ b/src/ic/arm/ic-arm.cc
@ -300,7 +300,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
  // The return address is in lr.
  Isolate* isolate = masm->isolate();

--- a/src/ic/arm64/ic-arm64.cc
+++ b/src/ic/arm64/ic-arm64.cc
@ -280,7 +280,7 @@ void LoadIC::GenerateNormal(MacroAssembler* masm, LanguageMode language_mode) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
  // The return address is in lr.
  Isolate* isolate = masm->isolate();
  ASM_LOCATION("LoadIC::GenerateMiss");
--- a/src/ic/ia32/ic-ia32.cc
+++ b/src/ic/ia32/ic-ia32.cc
@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
  // Return address is on the stack.
  __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
  LoadIC_PushArgs(masm);
--- a/src/ic/ic.h
+++ b/src/ic/ic.h
@ -323,8 +323,17 @@ class LoadIC : public IC {
  }

  // Code generator routines.
-  static void GenerateInitialize(MacroAssembler* masm) { GenerateMiss(masm); }
-  static void GenerateMiss(MacroAssembler* masm);
+
+  // TODO(jkummerow): Remove the stress parameter and these stress constants
+  // when a crash bug is fixed.
+  static const int kStressNone = 0;
+  static const int kStressInit = 1;
+  static const int kStressDispatcher = 2;
+  static const int kStressBuiltin = 3;
+  static void GenerateInitialize(MacroAssembler* masm) {
+    GenerateMiss(masm, kStressInit);
+  }
+  static void GenerateMiss(MacroAssembler* masm, int stress = kStressNone);
  static void GenerateRuntimeGetProperty(MacroAssembler* masm,
                                         LanguageMode language_mode);
  static void GenerateNormal(MacroAssembler* masm, LanguageMode language_mode);
--- a/src/ic/mips/ic-mips.cc
+++ b/src/ic/mips/ic-mips.cc
@ -306,7 +306,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
  // The return address is in ra.
  Isolate* isolate = masm->isolate();

--- a/src/ic/mips64/ic-mips64.cc
+++ b/src/ic/mips64/ic-mips64.cc
@ -303,7 +303,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
  // The return address is on the stack.
  Isolate* isolate = masm->isolate();

--- a/src/ic/ppc/ic-ppc.cc
+++ b/src/ic/ppc/ic-ppc.cc
@ -310,7 +310,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
  // The return address is in lr.
  Isolate* isolate = masm->isolate();

--- a/src/ic/x64/ic-x64.cc
+++ b/src/ic/x64/ic-x64.cc
@ -667,7 +667,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
  // The return address is on the stack.

  Counters* counters = masm->isolate()->counters();
@ -675,6 +675,36 @@ void LoadIC::GenerateMiss(MacroAssembler* masm) {

  LoadIC_PushArgs(masm);

+  Register receiver = LoadDescriptor::ReceiverRegister();
+
+  // Sanity check: The receiver must be a JS-exposed kind of object,
+  // not something internal (like a Map, or FixedArray). Check this here
+  // to chase after a rare but recurring crash bug.
+  // TODO(jkummerow): Remove this when it has generated a few crash reports.
+
+  Label ok, sound_alarm;
+  __ JumpIfSmi(receiver, &ok, Label::kNear);
+  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
+  __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
+  __ j(equal, &sound_alarm);
+  __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
+  __ j(not_equal, &ok, Label::kNear);
+
+  // This cmpp instruction is only here to identify which of several kinds
+  // of code blocks embedded the MISS code. (handler, dispatcher).
+  __ cmpp(receiver, Immediate(stress));
+
+  __ bind(&sound_alarm);
+  __ Push(Smi::FromInt(0xaabbccdd));
+  __ Push(receiver);
+  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
+  __ Push(rbx);
+  __ movp(rbx, FieldOperand(receiver, JSObject::kPropertiesOffset));
+  __ Push(rbx);
+  __ int3();
+
+  __ bind(&ok);
+
  // Perform tail call to the entry.
  int arg_count = 4;
  __ TailCallRuntime(Runtime::kLoadIC_Miss, arg_count, 1);
--- a/src/ic/x87/ic-x87.cc
+++ b/src/ic/x87/ic-x87.cc
@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
  // Return address is on the stack.
  __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
  LoadIC_PushArgs(masm);
--- a/src/x64/code-stubs-x64.cc
+++ b/src/x64/code-stubs-x64.cc
@ -4348,7 +4348,7 @@ void LoadICStub::GenerateImpl(MacroAssembler* masm, bool in_frame) {
      masm, Code::LOAD_IC, code_flags, receiver, name, feedback, no_reg);

  __ bind(&miss);
-  LoadIC::GenerateMiss(masm);
+  LoadIC::GenerateMiss(masm, LoadIC::kStressDispatcher);

  __ bind(&load_smi_map);
  __ LoadRoot(receiver_map, Heap::kHeapNumberMapRootIndex);