85b1d24b3f
When creating a new closure, we check feedback vector for any optimized code and install it on the newly created closure. We evict the optimized code from the feedback vector if it is marked for deoptimization. We used to evict the code before creating the new closure. However, creating a new closure could cause allocation failures and hence trigger a GC. This could mark optimized code on feedback vector for deoptimization if any weak objects held by optimized code are GC'ed. This cl delays the eviction unitl after the closure was created. Bug: v8:1163184 Change-Id: I217279e4a51f75b87bb7ae5a00fd1cf57805e3c8 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2613034 Commit-Queue: Mythri Alle <mythria@chromium.org> Reviewed-by: Ulan Degenbaev <ulan@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#71999}
30 lines
945 B
JavaScript
30 lines
945 B
JavaScript
// Copyright 2020 the V8 project authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style license that can be
|
|
// found in the LICENSE file.
|
|
|
|
// Flags: --allow-natives-syntax --stress-compact
|
|
|
|
let arr = [20];
|
|
// This forces arr.concat to create a new dictionary map which can be collected
|
|
// on a GC.
|
|
arr[Symbol.isConcatSpreadable] = true;
|
|
|
|
for (let i = 0; i < 4; ++i) {
|
|
function tmp() {
|
|
// Creates a new map that is collected on a GC.
|
|
let c = arr.concat();
|
|
// Access something from c, so c's map is embedded in code object.
|
|
c.x;
|
|
};
|
|
%PrepareFunctionForOptimization(tmp);
|
|
tmp();
|
|
// Optimize on the second iteration, so the optimized code isn't function
|
|
// context specialized and installed on feedback vector.
|
|
if (i == 1) {
|
|
%OptimizeFunctionOnNextCall(tmp);
|
|
tmp();
|
|
}
|
|
// Simulate full Newspace, so on next closure creation we cause a GC.
|
|
if (i == 2) %SimulateNewspaceFull();
|
|
}
|