diff --git a/src/objects/js-objects.cc b/src/objects/js-objects.cc index 58d616ed98..4ba6ee9d83 100644 --- a/src/objects/js-objects.cc +++ b/src/objects/js-objects.cc @@ -4985,6 +4985,17 @@ void JSFunction::EnsureFeedbackVector(Handle function) { // static void JSFunction::InitializeFeedbackCell(Handle function) { Isolate* const isolate = function->GetIsolate(); + + if (function->has_feedback_vector()) { + // TODO(984344): Make this a CHECK that feedback vectors are identical to + // what we expect once we have removed all bytecode generation differences + // between eager and lazy compilation. For now just reset if they aren't + // identical + FeedbackVector vector = function->feedback_vector(); + if (vector.length() == vector.metadata().slot_count()) return; + function->raw_feedback_cell().reset(); + } + bool needs_feedback_vector = !FLAG_lazy_feedback_allocation; // We need feedback vector for certain log events, collecting type profile // and more precise code coverage. diff --git a/test/mjsunit/regress/regress-crbug-984344.js b/test/mjsunit/regress/regress-crbug-984344.js new file mode 100644 index 0000000000..fea2c2d642 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-984344.js @@ -0,0 +1,34 @@ +// Copyright 2019 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function largeAllocToTriggerGC() { + for (let i = 0; i < 16; i++) { + let ab = new ArrayBuffer(1024 * 1024 * 10); + } +} + +function foo() { + eval('function bar(a) {}' + + '(function() {' + + ' for (let c = 0; c < 505; c++) {' + + ' while (Promise >= 0xDEADBEEF) {' + + ' Array.prototype.slice.call(bar, bar, bar);' + + ' }' + + ' for (let i = 0; i < 413; i++) {' + + ' }' + + ' }' + + '})();' + + 'largeAllocToTriggerGC();'); +} + + +foo(); +foo(); +foo(); +// Don't prepare until here to allow function to be flushed. +%PrepareFunctionForOptimization(foo); +%OptimizeFunctionOnNextCall(foo); +foo();