Fix CSA_ASSERT failure in CollectCallFeedback

This failure comes as the feedback is cleared but the CallFeedbackContent field remain unchanged. Bug: v8:11851 Change-Id: I75a0acad74dcaab1feafe97779e03caa8b7833de Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2948426 Commit-Queue: Fanchen Kong <fanchen.kong@intel.com> Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#75090}
2021-06-10 00:17:57 +08:00 · 2021-06-10 00:17:57 +08:00 · dd740bc2cb
commit dd740bc2cb
parent 6ec261dcae
2 changed files with 33 additions and 6 deletions
--- a/src/builtins/ic-callable.tq
+++ b/src/builtins/ic-callable.tq
@ -108,10 +108,15 @@ macro CollectCallFeedback(
    if (IsMegamorphic(feedback)) return;
    if (IsUninitialized(feedback)) goto TryInitializeAsMonomorphic;

+    // If cleared, we have a new chance to become monomorphic.
+    const feedbackValue: HeapObject =
+        MaybeObjectToStrong(feedback) otherwise TryReinitializeAsMonomorphic;
+
    if (FeedbackValueIsReceiver(feedbackVector, slotId) &&
        TaggedEqualPrototypeApplyFunction(maybeTarget)) {
-      // If the Receiver is recorded and the target is Function.prototype.apply,
-      // check whether we can stay monomorphic based on the receiver.
+      // If the Receiver is recorded and the target is
+      // Function.prototype.apply, check whether we can stay monomorphic based
+      // on the receiver.
      if (IsMonomorphic(feedback, RunLazy(maybeReceiver))) {
        return;
      } else {
@ -124,10 +129,6 @@ macro CollectCallFeedback(
      }
    }

-    // If cleared, we have a new chance to become monomorphic.
-    const feedbackValue: HeapObject =
-        MaybeObjectToStrong(feedback) otherwise TryInitializeAsMonomorphic;
-
    // Try transitioning to a feedback cell.
    // Check if {target}s feedback cell matches the {feedbackValue}.
    const target =
@ -146,6 +147,10 @@ macro CollectCallFeedback(

    StoreWeakReferenceInFeedbackVector(feedbackVector, slotId, feedbackCell);
    ReportFeedbackUpdate(feedbackVector, slotId, 'Call:FeedbackVectorCell');
+  } label TryReinitializeAsMonomorphic {
+    SetCallFeedbackContent(
+        feedbackVector, slotId, CallFeedbackContent::kTarget);
+    goto TryInitializeAsMonomorphic;
  } label TryInitializeAsMonomorphic {
    let recordedFunction = maybeTarget;
    if (TaggedEqualPrototypeApplyFunction(maybeTarget)) {
--- a/test/mjsunit/regress/regress-v8-11851.js
+++ b/test/mjsunit/regress/regress-v8-11851.js
@ -0,0 +1,22 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+function v0(v1) {
+    v1.apply();
+}
+
+function v2() {
+    function v3() {
+        }
+    %PrepareFunctionForOptimization(v0);
+    v0(v3);
+    %OptimizeFunctionOnNextCall(v0);
+    v0(v3);
+}
+
+v2();
+gc();
+assertThrows(function () { v0(2); }, TypeError);