[Compile] Ensure we don't reuse a feedback vector with a different layout than expected.

If we flush the bytecode from a SFI we might recompile a JSFunction while the function still has its old feedback vector. This should usually be fine since the new and old feedback vectors have the same layout, however some bugs in the parser mean that it's possible for eagerly and lazily compiled eval functions to have different bytecode and so potentially different feedback vector layouts. For now reset the feedback vector if it doesn't have the same size when we compile the JSFunction, and recreate a new one of the correct layout. This will be replaced with a CHECK once the parser bugs are fixed. BUG=chromium:984344,v8:9511 Change-Id: Ib8976f2541516f7a07e4d4ab7dc3c750dfe9b5d4 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1708474 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Commit-Queue: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Auto-Submit: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#62800}
2019-07-18 13:03:57 +01:00 · 2019-07-18 13:03:57 +01:00 · b06a134c24
commit b06a134c24
parent b496454040
2 changed files with 45 additions and 0 deletions
--- a/src/objects/js-objects.cc
+++ b/src/objects/js-objects.cc
@ -4985,6 +4985,17 @@ void JSFunction::EnsureFeedbackVector(Handle<JSFunction> function) {
 // static
 void JSFunction::InitializeFeedbackCell(Handle<JSFunction> function) {
  Isolate* const isolate = function->GetIsolate();
+
+  if (function->has_feedback_vector()) {
+    // TODO(984344): Make this a CHECK that feedback vectors are identical to
+    // what we expect once we have removed all bytecode generation differences
+    // between eager and lazy compilation. For now just reset if they aren't
+    // identical
+    FeedbackVector vector = function->feedback_vector();
+    if (vector.length() == vector.metadata().slot_count()) return;
+    function->raw_feedback_cell().reset();
+  }
+
  bool needs_feedback_vector = !FLAG_lazy_feedback_allocation;
  // We need feedback vector for certain log events, collecting type profile
  // and more precise code coverage.
--- a/test/mjsunit/regress/regress-crbug-984344.js
+++ b/test/mjsunit/regress/regress-crbug-984344.js
@ -0,0 +1,34 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function largeAllocToTriggerGC() {
+  for (let i = 0; i < 16; i++) {
+    let ab = new ArrayBuffer(1024 * 1024 * 10);
+  }
+}
+
+function foo() {
+  eval('function bar(a) {}' +
+       '(function() {' +
+       '  for (let c = 0; c < 505; c++) {' +
+       '    while (Promise >= 0xDEADBEEF) {' +
+       '      Array.prototype.slice.call(bar, bar, bar);' +
+       '    }' +
+       '    for (let i = 0; i < 413; i++) {' +
+       '    }' +
+       '  }' +
+       '})();' +
+       'largeAllocToTriggerGC();');
+}
+
+
+foo();
+foo();
+foo();
+// Don't prepare until here to allow function to be flushed.
+%PrepareFunctionForOptimization(foo);
+%OptimizeFunctionOnNextCall(foo);
+foo();