cebfde6769
The function-entry stack check should dominate all other
instructions in a function. Prior to this CL it was possible to create
paths not including a stack check due to SwitchOnGeneratorState: the
generator-creation branch had a stack check, while generator-resume
branches did not.
0 : af fb 00 01 SwitchOnGeneratorState r0, [0], [1] { 0: @22 }
4 : 27 fe fa Mov <closure>, r1
7 : 27 02 f9 Mov <this>, r2
10 : 64 0a fa 02 InvokeIntrinsic [_CreateJSGeneratorObject], r1-r2
14 : 26 fb Star r0
16 : a7 StackCheck
17 : b0 fb fb 01 00 SuspendGenerator r0, r0-r0, [0]
22 : b1 fb fb 01 ResumeGenerator r0, r0-r0
[... no stack check here ...]
This CL moves the stack check to the beginning of the bytecode array,
i.e. before SwitchOnGeneratorState.
Bug: chromium:1020031
Change-Id: I8ba8cba99611ddbe50c76023129d926cc84b1d5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903440
Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64888}
29 lines
556 B
JavaScript
29 lines
556 B
JavaScript
// Copyright 2019 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
//
|
|
// Flags: --expose-gc --allow-natives-syntax --predictable --stack-size=300
|
|
|
|
function* f() {
|
|
try {
|
|
g();
|
|
} catch {}
|
|
}
|
|
|
|
function g() {
|
|
try {
|
|
for (var i of f());
|
|
} catch {
|
|
gc();
|
|
}
|
|
}
|
|
|
|
%PrepareFunctionForOptimization(g);
|
|
g();
|
|
g();
|
|
g();
|
|
// Brittle repro: depends on exact placement of OptimizeFunctionOnNextCall and
|
|
// --stack-size.
|
|
%OptimizeFunctionOnNextCall(g);
|
|
g();
|