Fix bug in Runtime_CompileOptimized resulting from stack overflow.

R=jarin@chromium.org BUG=chromium:446389 LOG=Y Review URL: https://codereview.chromium.org/844503002 Cr-Commit-Position: refs/heads/master@{#25974}
2015-01-07 05:43:31 -08:00 · 2015-01-07 05:43:31 -08:00 · d77d3ba9a3
commit d77d3ba9a3
parent fdf6777072
2 changed files with 24 additions and 1 deletions
--- a/src/runtime/runtime-compiler.cc
+++ b/src/runtime/runtime-compiler.cc
@ -69,9 +69,20 @@ RUNTIME_FUNCTION(Runtime_CompileOptimized) {
      concurrent ? Compiler::CONCURRENT : Compiler::NOT_CONCURRENT;
  Handle<Code> code;
  if (Compiler::GetOptimizedCode(function, unoptimized, mode).ToHandle(&code)) {
+    // Optimization succeeded, return optimized code.
    function->ReplaceCode(*code);
  } else {
-    function->ReplaceCode(function->shared()->code());
+    // Optimization failed, get unoptimized code.
+    if (isolate->has_pending_exception()) {  // Possible stack overflow.
+      return isolate->heap()->exception();
+    }
+    code = Handle<Code>(function->shared()->code(), isolate);
+    if (code->kind() != Code::FUNCTION &&
+        code->kind() != Code::OPTIMIZED_FUNCTION) {
+      ASSIGN_RETURN_FAILURE_ON_EXCEPTION(
+          isolate, code, Compiler::GetUnoptimizedCode(function));
+    }
+    function->ReplaceCode(*code);
  }

  DCHECK(function->code()->kind() == Code::FUNCTION ||
--- a/test/mjsunit/regress/regress-446389.js
+++ b/test/mjsunit/regress/regress-446389.js
@ -0,0 +1,12 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function runNearStackLimit(f) { function t() { try { t(); } catch(e) { f(); } }; try { t(); } catch(e) {} }
+%OptimizeFunctionOnNextCall(__f_3);
+function __f_3() {
+    var __v_5 = a[0];
+}
+runNearStackLimit(function() { __f_3(); });