[TurboFan] Fix bug in FunctionBlueprint::operator==()

FunctionBlueprint holds a SharedFunctionInfo, FeedbackVector and a
Hints object that represents what we know about the Context of
the "function-to-be." Since we occasionally synthesize a
FunctionBlueprint object from a JSFunction (when we have it),
it can happen that sometimes the Context hint is a concrete
Context object, and other times it's a VirtualContext, representing
a context created sometime during the bytecode execution of the
function under optimization. Moreover, both such FunctionBlueprints
can exist in the same run due to the vagaries of CALL_IC feedback
(ie, sometimes you have a JSFunction, other times you don't).

More details in doc:
https://docs.google.com/document/d/1F1FxoDzlaYP5l5T6ZcZacV3LCUp5elcez05KWj-Mp78/edit?usp=sharing

Bug: crbug:1024282
Change-Id: Id4055531333b3dcbdb93afd23d9a226728292e11
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1926151
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Maya Lekova <mslekova@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#65127}

src/compiler/serializer-for-background-compilation.cc

@@ -266,22 +266,14 @@ class FunctionBlueprint {
   const Hints& context_hints() const { return context_hints_; }
 
   bool operator==(const FunctionBlueprint& other) const {
-    // A feedback vector is never used for more than one SFI. Moreover, we can
-    // never have two blueprints with identical feedback vector (and SFI) but
-    // different hints, because:
-    // (1) A blueprint originates either (i) from the data associated with a
-    //     CreateClosure bytecode, in which case two different CreateClosure
-    //     bytecodes never have the same feedback vector, or (ii) from a
-    //     JSFunction, in which case the hints are determined by the closure.
-    // (2) We never extend a blueprint's hints after construction.
-    //
-    // It is therefore sufficient to look at the feedback vector in order to
-    // decide equality.
+    // A feedback vector is never used for more than one SFI.  There might,
+    // however, be two blueprints with the same SFI and vector, but different
+    // context hints. crbug.com/1024282 has a link to a document describing
+    // why the context_hints_ might be different in that case.
     DCHECK_IMPLIES(feedback_vector_.equals(other.feedback_vector_),
                    shared_.equals(other.shared_));
-    SLOW_DCHECK(!feedback_vector_.equals(other.feedback_vector_) ||
-                context_hints_.Equals(other.context_hints_));
-    return feedback_vector_.equals(other.feedback_vector_);
+    return feedback_vector_.equals(other.feedback_vector_) &&
+           context_hints_ == other.context_hints_;
   }
 
  private:

test/mjsunit/regress/regress-crbug-1024282.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-gc
+
+assertThrows = function assertThrows(code) {};
+%PrepareFunctionForOptimization(assertThrows);
+
+function foo(val) {
+  var arr = [];
+  function bar() {
+    function m1() {}
+    %PrepareFunctionForOptimization(m1);
+    assertThrows(m1);
+    0 in arr;
+  }
+  %PrepareFunctionForOptimization(bar);
+  bar();  // virtual context distance of 1 from native_context
+  gc();
+  bar(true);
+}
+
+%PrepareFunctionForOptimization(foo);
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();