From cb9d0fe7f4789dc5c471fcb092457efc503bd2e4 Mon Sep 17 00:00:00 2001 From: rmcilroy Date: Fri, 16 Dec 2016 02:44:50 -0800 Subject: [PATCH] [Complier] Only optimize a function marked for tier-up if it is compiled. When mark-shared-funtion-for-tier-up is enabled, a function could be marked for optimization, then the baseline (FCG) code is flushed by the GC. The next time the function is executed, we shouldn't optimize the code if there isn't baseline code. BUG=chromium:673242 Review-Url: https://codereview.chromium.org/2575333003 Cr-Commit-Position: refs/heads/master@{#41751} --- src/compiler.cc | 3 ++- test/mjsunit/regress/regress-673242.js | 31 ++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/regress/regress-673242.js diff --git a/src/compiler.cc b/src/compiler.cc index a45d7aacc9..e9b6c196b5 100644 --- a/src/compiler.cc +++ b/src/compiler.cc @@ -897,7 +897,8 @@ MaybeHandle GetLazyCode(Handle function) { return cached_code; } - if (function->shared()->marked_for_tier_up()) { + if (function->shared()->is_compiled() && + function->shared()->marked_for_tier_up()) { DCHECK(FLAG_mark_shared_functions_for_tier_up); function->shared()->set_marked_for_tier_up(false); diff --git a/test/mjsunit/regress/regress-673242.js b/test/mjsunit/regress/regress-673242.js new file mode 100644 index 0000000000..ceb60f563c --- /dev/null +++ b/test/mjsunit/regress/regress-673242.js @@ -0,0 +1,31 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --mark-shared-functions-for-tier-up --allow-natives-syntax --expose-gc + +function foo() { + function bar() { + } + return bar; +} + +// Mark bar's shared function info for tier-up +// (but don't optimize). +var bar = foo(); +%OptimizeFunctionOnNextCall(bar); + +// Avoid flushing foo (and thereby making bar's shared function info +// dead) by marking it to be optimized. +%OptimizeFunctionOnNextCall(foo); + +// Throw away the JSFunction we have for bar and GC until its code has +// been flushed. +bar = null; +for (var i = 0; i < 6; i++) { + gc(); +} + +// Now create a new JSFunction from bar's shared function info and call it, +// we should not optimize without recompiling the baseline code. +foo()();