[deoptimizer] Fix materialization of builtin stub registers.

This makes sure that frames representing builtin stub continuations not only materialize all stack slots, but also spilled register values. Note that this also applies when the stub frame is not the top-most frame. R=jarin@chromium.org TEST=mjsunit/regress/regress-6907 BUG=v8:6907 Change-Id: I01a2edf5629de6aac61ceea350d1ab5f91dc2dc1 Reviewed-on: https://chromium-review.googlesource.com/707245Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#48415}

[deoptimizer] Fix materialization of builtin stub registers.
This makes sure that frames representing builtin stub continuations not only materialize all stack slots, but also spilled register values. Note that this also applies when the stub frame is not the top-most frame. R=jarin@chromium.org TEST=mjsunit/regress/regress-6907 BUG=v8:6907 Change-Id: I01a2edf5629de6aac61ceea350d1ab5f91dc2dc1 Reviewed-on: https://chromium-review.googlesource.com/707245Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Cr-Commit-Position: refs/heads/master@{#48415}
0a7fcd0f · Michael Starzinger · Commit Bot · a5e5384d · 0a7fcd0f · 0a7fcd0f
Commit 0a7fcd0f authored Oct 09, 2017 by Michael Starzinger Committed by Commit Bot Oct 10, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 42 additions and 10 deletions

deoptimizer.cc src/deoptimizer.cc +21 -10

regress-6907.js test/mjsunit/regress/regress-6907.js +21 -0

No files found.
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -1636,14 +1636,16 @@ void Deoptimizer::DoComputeBuiltinContinuation(
  // Get the possible JSFunction for the case that
  intptr_t maybe_function =
      reinterpret_cast<intptr_t>(value_iterator->GetRawValue());
+  ++input_index;
  ++value_iterator;

-  std::vector<intptr_t> register_values;
+  struct RegisterValue {
+    Object* raw_value_;
+    TranslatedFrame::iterator iterator_;
+  };
+  std::vector<RegisterValue> register_values;
  int total_registers = config->num_general_registers();
-  register_values.resize(total_registers, 0);
-  for (int i = 0; i < total_registers; ++i) {
-    register_values[i] = 0;
-  }
+  register_values.resize(total_registers, {Smi::kZero, value_iterator});

  intptr_t value;

@@ -1672,9 +1674,9 @@ void Deoptimizer::DoComputeBuiltinContinuation(
  }

  for (int i = 0; i < register_parameter_count; ++i) {
-    value = reinterpret_cast<intptr_t>(value_iterator->GetRawValue());
+    Object* object = value_iterator->GetRawValue();
    int code = continuation_descriptor.GetRegisterParameter(i).code();
-    register_values[code] = value;
+    register_values[code] = {object, value_iterator};
    ++input_index;
    ++value_iterator;
  }
@@ -1684,8 +1686,9 @@ void Deoptimizer::DoComputeBuiltinContinuation(
  // sure that it's harvested from the translation and copied into the register
  // set (it was automatically added at the end of the FrameState by the
  // instruction selector).
-  value = reinterpret_cast<intptr_t>(value_iterator->GetRawValue());
-  register_values[kContextRegister.code()] = value;
+  Object* context = value_iterator->GetRawValue();
+  value = reinterpret_cast<intptr_t>(context);
+  register_values[kContextRegister.code()] = {context, value_iterator};
  output_frame->SetContext(value);
  output_frame->SetRegister(kContextRegister.code(), value);
  ++input_index;
@@ -1755,7 +1758,8 @@ void Deoptimizer::DoComputeBuiltinContinuation(
  for (int i = 0; i < allocatable_register_count; ++i) {
    output_frame_offset -= kPointerSize;
    int code = config->GetAllocatableGeneralCode(i);
-    value = register_values[code];
+    Object* object = register_values[code].raw_value_;
+    value = reinterpret_cast<intptr_t>(object);
    output_frame->SetFrameSlot(output_frame_offset, value);
    if (trace_scope_ != nullptr) {
      ScopedVector<char> str(128);
@@ -1772,6 +1776,13 @@ void Deoptimizer::DoComputeBuiltinContinuation(
      DebugPrintOutputSlot(value, frame_index, output_frame_offset,
                           str.start());
    }
+    if (object == isolate_->heap()->arguments_marker()) {
+      Address output_address =
+          reinterpret_cast<Address>(output_[frame_index]->GetTop()) +
+          output_frame_offset;
+      values_to_materialize_.push_back(
+          {output_address, register_values[code].iterator_});
+    }
  }

  // Clear the context register. The context might be a de-materialized object

--- a/test/mjsunit/regress/regress-6907.js
+++ b/test/mjsunit/regress/regress-6907.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+(function TestDematerializedContextInBuiltin() {
+  var f = function() {
+    var b = [1,2,3];
+    var callback = function(v,i,o) {
+      %_DeoptimizeNow();
+    };
+    try { throw 0 } catch(e) {
+      return b.forEach(callback);
+    }
+  }
+  f();
+  f();
+  %OptimizeFunctionOnNextCall(f);
+  f();
+})();