[TurboFan] investigate a crash in GenerateDeoptimizationData

We know the array CodeGenerator::deoptimization_literals_ is corrupted somehow. Additional checks in place to validate. Bug: chromium:1027130 Change-Id: Ie0146003f096d24e67aeb382372bca8472548c2a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2182636 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#67641}
2020-05-07 09:52:21 +02:00 · 2020-05-07 09:52:21 +02:00 · ee0c1b0e4d
commit ee0c1b0e4d
parent d64bcab369
2 changed files with 20 additions and 3 deletions
--- a/src/compiler/backend/code-generator.cc
+++ b/src/compiler/backend/code-generator.cc
@ -996,8 +996,10 @@ void CodeGenerator::RecordCallPosition(Instruction* instr) {
 }

 int CodeGenerator::DefineDeoptimizationLiteral(DeoptimizationLiteral literal) {
+  literal.Validate();
  int result = static_cast<int>(deoptimization_literals_.size());
  for (unsigned i = 0; i < deoptimization_literals_.size(); ++i) {
+    deoptimization_literals_[i].Validate();
    if (deoptimization_literals_[i] == literal) return i;
  }
  deoptimization_literals_.push_back(literal);
@ -1349,6 +1351,7 @@ OutOfLineCode::OutOfLineCode(CodeGenerator* gen)
 OutOfLineCode::~OutOfLineCode() = default;

 Handle<Object> DeoptimizationLiteral::Reify(Isolate* isolate) const {
+  Validate();
  switch (kind_) {
    case DeoptimizationLiteralKind::kObject: {
      return object_;
@ -1359,6 +1362,9 @@ Handle<Object> DeoptimizationLiteral::Reify(Isolate* isolate) const {
    case DeoptimizationLiteralKind::kString: {
      return string_->AllocateStringConstant(isolate);
    }
+    case DeoptimizationLiteralKind::kInvalid: {
+      UNREACHABLE();
+    }
  }
  UNREACHABLE();
 }
--- a/src/compiler/backend/code-generator.h
+++ b/src/compiler/backend/code-generator.h
@ -51,12 +51,16 @@ class InstructionOperandIterator {
  size_t pos_;
 };

-enum class DeoptimizationLiteralKind { kObject, kNumber, kString };
+enum class DeoptimizationLiteralKind { kObject, kNumber, kString, kInvalid };

 // Either a non-null Handle<Object>, a double or a StringConstantBase.
 class DeoptimizationLiteral {
 public:
-  DeoptimizationLiteral() : object_(), number_(0), string_(nullptr) {}
+  DeoptimizationLiteral()
+      : kind_(DeoptimizationLiteralKind::kInvalid),
+        object_(),
+        number_(0),
+        string_(nullptr) {}
  explicit DeoptimizationLiteral(Handle<Object> object)
      : kind_(DeoptimizationLiteralKind::kObject), object_(object) {
    CHECK(!object_.is_null());
@ -77,7 +81,14 @@ class DeoptimizationLiteral {

  Handle<Object> Reify(Isolate* isolate) const;

-  DeoptimizationLiteralKind kind() const { return kind_; }
+  void Validate() const {
+    CHECK_NE(kind_, DeoptimizationLiteralKind::kInvalid);
+  }
+
+  DeoptimizationLiteralKind kind() const {
+    Validate();
+    return kind_;
+  }

 private:
  DeoptimizationLiteralKind kind_;