deoptimize-lazy-weak.js 1.43 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
// Copyright 2017 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --expose-gc --allow-natives-syntax --verify-heap

var o = { f : 0 };

var shouldDeopt = true;

// This tests a scenario where a function has an embedded object reference,
// the function is lazy-deoptimized, the object is then collected, but the
// code object keeps the dangling pointer.

function deopt() {
  if (shouldDeopt) {
    // Change the global object. This deoptimizes function f because
    // it optimistically embedded the reference to o as a constant.
    o = { f : 2 };
    // Collect the original object o; at this point, f should invalidate
    // its invalid reference to the original object.
    gc();
  }
}

// Forwarding function to make sure that function f is not the topomost
// optimized frame (GC treats reference from topmost optimized code strongly).
function dummy_opt() { deopt(); }
function dummy() { dummy_opt(); }
%NeverOptimizeFunction(deopt);
%NeverOptimizeFunction(dummy);

// When optimized, the function f embeds the constant reference
// to the original object o.
function f() {
  dummy();
  return o.f;
}

shouldDeopt = false;
41
%PrepareFunctionForOptimization(dummy_opt);
42 43 44
f();
f();
%OptimizeFunctionOnNextCall(dummy_opt);
45 46 47 48 49
f();
%PrepareFunctionForOptimization(f);
f();
%OptimizeFunctionOnNextCall(f);

50 51
shouldDeopt = true;
assertEquals(2, f());