[compiler] Tolerate failing ConsistentJSFunctionViewDep post-GC

GC may change heap state and make this dependency fail. That's okay - it passed once before, meaning that compilation saw a self-consistent JSFunctionRef state. Bug: chromium:1230930 Change-Id: I367b10e4aa88101f1ca83a46f596c5f289f6cab2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3040838 Auto-Submit: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#75802}
2021-07-20 07:40:35 +02:00 · 2021-07-20 07:40:35 +02:00 · bbefaeb5cc
commit bbefaeb5cc
parent 877ad41135
3 changed files with 39 additions and 5 deletions
--- a/src/compiler/compilation-dependencies.cc
+++ b/src/compiler/compilation-dependencies.cc
@ -355,6 +355,10 @@ class ConsistentJSFunctionViewDependency final : public CompilationDependency {

  void Install(Handle<Code> code) const override {}

+#ifdef DEBUG
+  bool IsConsistentJSFunctionViewDependency() const override { return true; }
+#endif
+
 private:
  const JSFunctionRef function_;
 };
@ -832,17 +836,27 @@ bool CompilationDependencies::Commit(Handle<Code> code) {
  }

  // It is even possible that a GC during the above installations invalidated
-  // one of the dependencies. However, this should only affect pretenure mode
-  // dependencies, which we assert below. It is safe to return successfully in
-  // these cases, because once the code gets executed it will do a stack check
-  // that triggers its deoptimization.
+  // one of the dependencies. However, this should only affect
+  //
+  // 1. pretenure mode dependencies, or
+  // 2. function consistency dependencies,
+  //
+  // which we assert below. It is safe to return successfully in these cases,
+  // because
+  //
+  // 1. once the code gets executed it will do a stack check that triggers its
+  //    deoptimization.
+  // 2. since the function state was deemed consistent above, that means the
+  //    compilation saw a self-consistent state of the jsfunction.
  if (FLAG_stress_gc_during_compilation) {
    broker_->isolate()->heap()->PreciseCollectAllGarbage(
        Heap::kForcedGC, GarbageCollectionReason::kTesting, kNoGCCallbackFlags);
  }
 #ifdef DEBUG
  for (auto dep : dependencies_) {
-    CHECK_IMPLIES(!dep->IsValid(), dep->IsPretenureModeDependency());
+    CHECK_IMPLIES(!dep->IsValid(),
+                  dep->IsPretenureModeDependency() ||
+                      dep->IsConsistentJSFunctionViewDependency());
  }
 #endif

--- a/src/compiler/compilation-dependency.h
+++ b/src/compiler/compilation-dependency.h
@ -26,6 +26,7 @@ class CompilationDependency : public ZoneObject {
      Handle<Map> const& receiver_map) const {
    return false;
  }
+  virtual bool IsConsistentJSFunctionViewDependency() const { return false; }
 #endif
 };

--- a/test/mjsunit/regress/regress-1230930.js
+++ b/test/mjsunit/regress/regress-1230930.js
@ -0,0 +1,19 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --stress-gc-during-compilation
+
+const __v_0 = class __c_0 extends Array {
+  constructor() {
+    super();
+    this.y = 1;
+  }
+};
+function __f_1() {
+  var __v_2 = new __v_0();
+}
+  %PrepareFunctionForOptimization(__f_1);
+__f_1();
+%OptimizeFunctionOnNextCall(__f_1);
+__f_1();