[turbofan] Skip data-flow analysis of code entry field.

This makes escape analysis skip analyzing the code entry field within JSFunction objects. Said field is an untagged pointer field and hence cannot be tracked by an ObjectState node. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-613494 BUG=chromium:613494 Review-Url: https://codereview.chromium.org/1997353002 Cr-Commit-Position: refs/heads/master@{#36436}
2016-05-23 03:39:24 -07:00 · 2016-05-23 03:39:24 -07:00 · dbd7d5a59f
commit dbd7d5a59f
parent bf705f0fd6
3 changed files with 25 additions and 0 deletions
--- a/src/compiler/escape-analysis.cc
+++ b/src/compiler/escape-analysis.cc
@ -849,6 +849,7 @@ void EscapeStatusAnalysis::DebugPrint() {
 EscapeAnalysis::EscapeAnalysis(Graph* graph, CommonOperatorBuilder* common,
                               Zone* zone)
    : zone_(zone),
+      slot_not_analyzed_(graph->NewNode(common->NumberConstant(0x1c0debad))),
      common_(common),
      status_analysis_(new (zone) EscapeStatusAnalysis(this, graph, zone)),
      virtual_states_(zone),
@ -1460,6 +1461,15 @@ void EscapeAnalysis::ProcessStoreField(Node* node) {
  if (obj && obj->IsTracked() &&
      static_cast<size_t>(offset) < obj->field_count()) {
    Node* val = ResolveReplacement(NodeProperties::GetValueInput(node, 1));
+    // TODO(mstarzinger): The following is a workaround to not track the code
+    // entry field in virtual JSFunction objects. We only ever store the inner
+    // pointer into the compile lazy stub in this field and the deoptimizer has
+    // this assumption hard-coded in {TranslatedState::MaterializeAt} as well.
+    if (val->opcode() == IrOpcode::kInt32Constant ||
+        val->opcode() == IrOpcode::kInt64Constant) {
+      DCHECK_EQ(JSFunction::kCodeEntryOffset, FieldAccessOf(node->op()).offset);
+      val = slot_not_analyzed_;
+    }
    if (obj->GetField(offset) != val) {
      obj = CopyForModificationAt(obj, state, node);
      obj->SetField(offset, val);
--- a/src/compiler/escape-analysis.h
+++ b/src/compiler/escape-analysis.h
@ -70,6 +70,7 @@ class EscapeAnalysis {
  CommonOperatorBuilder* common() const { return common_; }

  Zone* const zone_;
+  Node* const slot_not_analyzed_;
  CommonOperatorBuilder* const common_;
  EscapeStatusAnalysis* status_analysis_;
  ZoneVector<VirtualState*> virtual_states_;
--- a/test/mjsunit/regress/regress-crbug-613494.js
+++ b/test/mjsunit/regress/regress-crbug-613494.js
@ -0,0 +1,14 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-escape --noanalyze-environment-liveness
+
+function f() {
+  var bound = 0;
+  function g() { return bound }
+}
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();