test/mjsunit/regress/regress-1020031.js · 6cd16f02cb3a23cbb43fc0b6efe0a36aaf58fe7f · Linshizhi / V8

[interpreter] Move function-entry stack check to start of bytecode array · cebfde67

Jakob Gruber authored Nov 11, 2019

The function-entry stack check should dominate all other
instructions in a function. Prior to this CL it was possible to create
paths not including a stack check due to SwitchOnGeneratorState: the
generator-creation branch had a stack check, while generator-resume
branches did not.

  0 : af fb 00 01       SwitchOnGeneratorState r0, [0], [1] { 0: @22 }
  4 : 27 fe fa          Mov <closure>, r1
  7 : 27 02 f9          Mov <this>, r2
 10 : 64 0a fa 02       InvokeIntrinsic [_CreateJSGeneratorObject], r1-r2
 14 : 26 fb             Star r0
 16 : a7                StackCheck
 17 : b0 fb fb 01 00    SuspendGenerator r0, r0-r0, [0]
 22 : b1 fb fb 01       ResumeGenerator r0, r0-r0
                        [... no stack check here ...]

This CL moves the stack check to the beginning of the bytecode array,
i.e. before SwitchOnGeneratorState.

Bug: chromium:1020031
Change-Id: I8ba8cba99611ddbe50c76023129d926cc84b1d5e
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1903440Reviewed-by: Georg Neis <neis@chromium.org>
Reviewed-by: Ross McIlroy <rmcilroy@chromium.org>
Commit-Queue: Jakob Gruber <jgruber@chromium.org>
Cr-Commit-Position: refs/heads/master@{#64888}

cebfde67

regress-1020031.js 556 Bytes

Replace regress-1020031.js