[Compiler] Ensure JSFunction is reset if bytecode was flushed before trying to deoptimize it.

BUG=v8:8395 Change-Id: I6e4c7550d71f4fe8b4df36a0a5794f89bf94d70a Reviewed-on: https://chromium-review.googlesource.com/c/1373774Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#58216}

[Compiler] Ensure JSFunction is reset if bytecode was flushed before trying to deoptimize it.
BUG=v8:8395 Change-Id: I6e4c7550d71f4fe8b4df36a0a5794f89bf94d70a Reviewed-on: https://chromium-review.googlesource.com/c/1373774Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Cr-Commit-Position: refs/heads/master@{#58216}
3cdee40e · Ross McIlroy · Commit Bot · bc078ce4 · 3cdee40e · 3cdee40e
Commit 3cdee40e authored Dec 12, 2018 by Ross McIlroy Committed by Commit Bot Dec 13, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 49 additions and 0 deletions

deoptimizer.cc src/deoptimizer.cc +1 -0

lazy-deopt-then-flush-bytecode.js test/debugger/debug/lazy-deopt-then-flush-bytecode.js +48 -0

No files found.
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -428,6 +428,7 @@ void Deoptimizer::DeoptimizeFunction(JSFunction function, Code code) {
                                     RuntimeCallCounterId::kDeoptimizeCode);
  TimerEventScope<TimerEventDeoptimizeCode> timer(isolate);
  TRACE_EVENT0("v8", "V8.DeoptimizeCode");
+  function->ResetIfBytecodeFlushed();
  if (code.is_null()) code = function->code();

  if (code->kind() == Code::OPTIMIZED_FUNCTION) {

--- a/test/debugger/debug/lazy-deopt-then-flush-bytecode.js
+++ b/test/debugger/debug/lazy-deopt-then-flush-bytecode.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --opt --noalways-opt --stress-flush-bytecode
+// Flags: --expose-gc
+
+Debug = debug.Debug
+
+function foo() {
+  return 44;
+}
+
+function listener(event, exec_state, event_data, data) {
+  if (event != Debug.DebugEvent.Break) return;
+
+  // Optimize foo.
+  %OptimizeFunctionOnNextCall(foo);
+  foo();
+  assertOptimized(foo);
+
+  // Lazily deopt foo, which marks the code for deoptimization and invalidates
+  // the DeoptimizationData, but doesn't unlink the optimized code entry in
+  // foo's JSFunction.
+  %DeoptimizeFunction(foo);
+
+  // Run the GC. Since the DeoptimizationData is now dead, the bytecode
+  // associated with the optimized code is free to be flushed, which also
+  // free's the feedback vector meta-data.
+  gc();
+
+  // Execute foo with side-effect checks, which causes the debugger to call
+  // DeoptimizeFunction on foo. Even though the code is already marked for
+  // deoptimization, this will try to unlink the optimized code from the
+  // feedback vector, which will fail due to the feedback meta-data being
+  // flushed. The deoptimizer should call JSFunction::ResetIfBytecodeFlushed
+  // before trying to do this, which will clear the whole feedback vector and
+  // reset the JSFunction's code entry field to CompileLazy.
+  exec_state.frame(0).evaluate("foo()", true);
+}
+
+// Add the debug event listener.
+Debug.setListener(listener);
+
+function f() {
+  debugger;
+}
+f();