-
mstarzinger authored
This fixes a terrible interaction of code flushing and the clearing of optimized code maps hanging off a SharedFunctionInfo. The following is what happened: 1) Incremental marking cleared map in SharedFunctionInfo s, however it was not enqueued as a flushing candidate because one JSFunction f1 still had optimized code. 2) Deoptimization of f1 made s eligible for code flushing. 3) Optimization of f2 added new entry to optimized code map of s. 4) The JSFunction f2 became unreachable and hence is never marked. 5) Incremental marking now visits f1, finds it eligible for flushing, also s is eligible for flushing, both are enqueued. 6) Marking finishes, code flusher clears f1 and s, but the optimized code map of s still contains an entry. 7) Boom! R=ulan@chromium.org,hpayer@chromium.org TEST=mjsunit/es6/generators-iteration BUG=v8:3803 LOG=N Review URL: https://codereview.chromium.org/1197713004 Cr-Commit-Position: refs/heads/master@{#29177}
816abc5e
