From dd740bc2cb5880fa9257e280b1e5c49febcb5d41 Mon Sep 17 00:00:00 2001 From: Fanchen Kong Date: Thu, 10 Jun 2021 00:17:57 +0800 Subject: [PATCH] Fix CSA_ASSERT failure in CollectCallFeedback This failure comes as the feedback is cleared but the CallFeedbackContent field remain unchanged. Bug: v8:11851 Change-Id: I75a0acad74dcaab1feafe97779e03caa8b7833de Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2948426 Commit-Queue: Fanchen Kong Reviewed-by: Georg Neis Reviewed-by: Ross McIlroy Cr-Commit-Position: refs/heads/master@{#75090} --- src/builtins/ic-callable.tq | 17 +++++++++++------ test/mjsunit/regress/regress-v8-11851.js | 22 ++++++++++++++++++++++ 2 files changed, 33 insertions(+), 6 deletions(-) create mode 100644 test/mjsunit/regress/regress-v8-11851.js diff --git a/src/builtins/ic-callable.tq b/src/builtins/ic-callable.tq index 0c9e2c0a53..dd29e8bf5e 100644 --- a/src/builtins/ic-callable.tq +++ b/src/builtins/ic-callable.tq @@ -108,10 +108,15 @@ macro CollectCallFeedback( if (IsMegamorphic(feedback)) return; if (IsUninitialized(feedback)) goto TryInitializeAsMonomorphic; + // If cleared, we have a new chance to become monomorphic. + const feedbackValue: HeapObject = + MaybeObjectToStrong(feedback) otherwise TryReinitializeAsMonomorphic; + if (FeedbackValueIsReceiver(feedbackVector, slotId) && TaggedEqualPrototypeApplyFunction(maybeTarget)) { - // If the Receiver is recorded and the target is Function.prototype.apply, - // check whether we can stay monomorphic based on the receiver. + // If the Receiver is recorded and the target is + // Function.prototype.apply, check whether we can stay monomorphic based + // on the receiver. if (IsMonomorphic(feedback, RunLazy(maybeReceiver))) { return; } else { @@ -124,10 +129,6 @@ macro CollectCallFeedback( } } - // If cleared, we have a new chance to become monomorphic. - const feedbackValue: HeapObject = - MaybeObjectToStrong(feedback) otherwise TryInitializeAsMonomorphic; - // Try transitioning to a feedback cell. // Check if {target}s feedback cell matches the {feedbackValue}. const target = @@ -146,6 +147,10 @@ macro CollectCallFeedback( StoreWeakReferenceInFeedbackVector(feedbackVector, slotId, feedbackCell); ReportFeedbackUpdate(feedbackVector, slotId, 'Call:FeedbackVectorCell'); + } label TryReinitializeAsMonomorphic { + SetCallFeedbackContent( + feedbackVector, slotId, CallFeedbackContent::kTarget); + goto TryInitializeAsMonomorphic; } label TryInitializeAsMonomorphic { let recordedFunction = maybeTarget; if (TaggedEqualPrototypeApplyFunction(maybeTarget)) { diff --git a/test/mjsunit/regress/regress-v8-11851.js b/test/mjsunit/regress/regress-v8-11851.js new file mode 100644 index 0000000000..4f2d217b52 --- /dev/null +++ b/test/mjsunit/regress/regress-v8-11851.js @@ -0,0 +1,22 @@ +// Copyright 2021 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --expose-gc + +function v0(v1) { + v1.apply(); +} + +function v2() { + function v3() { + } + %PrepareFunctionForOptimization(v0); + v0(v3); + %OptimizeFunctionOnNextCall(v0); + v0(v3); +} + +v2(); +gc(); +assertThrows(function () { v0(2); }, TypeError);