lazy-deopt-then-flush-bytecode.js

// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax --opt --noalways-opt --stress-flush-bytecode
// Flags: --expose-gc

Debug = debug.Debug

function foo() {
  return 44;
}

function listener(event, exec_state, event_data, data) {
  if (event != Debug.DebugEvent.Break) return;

  // Optimize foo.
  %PrepareFunctionForOptimization(foo);
  %OptimizeFunctionOnNextCall(foo);
  foo();
  assertOptimized(foo);

  // Lazily deopt foo, which marks the code for deoptimization and invalidates
  // the DeoptimizationData, but doesn't unlink the optimized code entry in
  // foo's JSFunction.
  %DeoptimizeFunction(foo);

  // Run the GC. Since the DeoptimizationData is now dead, the bytecode
  // associated with the optimized code is free to be flushed, which also
  // free's the feedback vector meta-data.
  gc();

  // Execute foo with side-effect checks, which causes the debugger to call
  // DeoptimizeFunction on foo. Even though the code is already marked for
  // deoptimization, this will try to unlink the optimized code from the
  // feedback vector, which will fail due to the feedback meta-data being
  // flushed. The deoptimizer should call JSFunction::ResetIfBytecodeFlushed
  // before trying to do this, which will clear the whole feedback vector and
  // reset the JSFunction's code entry field to CompileLazy.
  exec_state.frame(0).evaluate("foo()", true);
}

// Add the debug event listener.
Debug.setListener(listener);

function f() {
  debugger;
}
f();