Remove crash-hunting instrumentation that has served its purpose.

BUG=chromium:527994 LOG=n Review URL: https://codereview.chromium.org/1358393004 Cr-Commit-Position: refs/heads/master@{#30889}

Remove crash-hunting instrumentation that has served its purpose.
BUG=chromium:527994 LOG=n Review URL: https://codereview.chromium.org/1358393004 Cr-Commit-Position: refs/heads/master@{#30889}
3e58db33 · jkummerow · Commit bot · bfccd518 · 3e58db33 · 3e58db33
Commit 3e58db33 authored Sep 23, 2015 by jkummerow Committed by Commit bot Sep 23, 2015
14 changed files
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -1739,7 +1739,7 @@ BUILTIN(HandleApiCallAsConstructor) {


 static void Generate_LoadIC_Miss(MacroAssembler* masm) {
-  LoadIC::GenerateMiss(masm, LoadIC::kStressBuiltin);
+  LoadIC::GenerateMiss(masm);
 }



--- a/src/full-codegen/x64/full-codegen-x64.cc
+++ b/src/full-codegen/x64/full-codegen-x64.cc
@@ -2242,47 +2242,10 @@ void FullCodeGenerator::EmitNamedPropertyLoad(Property* prop) {
  Literal* key = prop->key()->AsLiteral();
  DCHECK(!prop->IsSuperAccess());

-  // See comment below.
-  if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {
-    __ Push(LoadDescriptor::ReceiverRegister());
-  }
-
  __ Move(LoadDescriptor::NameRegister(), key->value());
  __ Move(LoadDescriptor::SlotRegister(),
          SmiFromSlot(prop->PropertyFeedbackSlot()));
  CallLoadIC(NOT_INSIDE_TYPEOF, language_mode());
-
-  // Sanity check: The loaded value must be a JS-exposed kind of object,
-  // not something internal (like a Map, or FixedArray). Check this here
-  // to chase after a rare but recurring crash bug. It seems to always
-  // occur for functions beginning with "this.foo.bar()", so be selective
-  // and only insert the check for the first LoadIC (identified by slot).
-  // TODO(chromium:527994): Remove this when we have a few crash reports.
-  // Don't forget to remove the Push() above as well!
-  if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {
-    __ Pop(LoadDescriptor::ReceiverRegister());
-
-    Label ok, sound_alarm;
-    __ JumpIfSmi(rax, &ok, Label::kNear);
-    __ movp(rbx, FieldOperand(rax, HeapObject::kMapOffset));
-    __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
-    __ j(equal, &sound_alarm);
-    __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
-    __ j(not_equal, &ok, Label::kNear);
-
-    __ bind(&sound_alarm);
-    __ Push(Smi::FromInt(0xaabbccdd));
-    __ Push(LoadDescriptor::ReceiverRegister());
-    __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),
-                              HeapObject::kMapOffset));
-    __ Push(rbx);
-    __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),
-                              JSObject::kPropertiesOffset));
-    __ Push(rbx);
-    __ int3();
-
-    __ bind(&ok);
-  }
 }



--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -9626,29 +9626,6 @@ void HOptimizedGraphBuilder::VisitCall(Call* expr) {
    CHECK_ALIVE(VisitForValue(prop->obj()));
    HValue* receiver = Top();

-    // Sanity check: The receiver must be a JS-exposed kind of object,
-    // not something internal (like a Map, or FixedArray). Check this here
-    // to chase after a rare but recurring crash bug. It seems to always
-    // occur for functions beginning with "this.foo.bar()", so be selective
-    // and only insert the check for the first call (identified by slot).
-    // TODO(chromium:527994): Remove this when we have a few crash reports.
-    if (prop->key()->IsPropertyName() &&
-        prop->PropertyFeedbackSlot().ToInt() == 2) {
-      IfBuilder if_heapobject(this);
-      if_heapobject.IfNot<HIsSmiAndBranch>(receiver);
-      if_heapobject.Then();
-      {
-        IfBuilder special_map(this);
-        Factory* factory = isolate()->factory();
-        special_map.If<HCompareMap>(receiver, factory->fixed_array_map());
-        special_map.OrIf<HCompareMap>(receiver, factory->meta_map());
-        special_map.Then();
-        Add<HDebugBreak>();
-        special_map.End();
-      }
-      if_heapobject.End();
-    }
-
    SmallMapList* maps;
    ComputeReceiverTypes(expr, receiver, &maps, zone());


--- a/src/ic/arm/ic-arm.cc
+++ b/src/ic/arm/ic-arm.cc
@@ -300,7 +300,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
  // The return address is in lr.
  Isolate* isolate = masm->isolate();


--- a/src/ic/arm64/ic-arm64.cc
+++ b/src/ic/arm64/ic-arm64.cc
@@ -280,7 +280,7 @@ void LoadIC::GenerateNormal(MacroAssembler* masm, LanguageMode language_mode) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
  // The return address is in lr.
  Isolate* isolate = masm->isolate();
  ASM_LOCATION("LoadIC::GenerateMiss");

--- a/src/ic/ia32/ic-ia32.cc
+++ b/src/ic/ia32/ic-ia32.cc
@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
  // Return address is on the stack.
  __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
  LoadIC_PushArgs(masm);

--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2377,17 +2377,6 @@ RUNTIME_FUNCTION(Runtime_LoadIC_Miss) {
    LoadIC ic(IC::NO_EXTRA_FRAME, isolate, &nexus);
    ic.UpdateState(receiver, key);
    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key));
-
-    // Sanity check: The loaded value must be a JS-exposed kind of object,
-    // not something internal (like a Map, or FixedArray). Check this here
-    // to chase after a rare but recurring crash bug.
-    // TODO(chromium:527994): Remove this when we have a few crash reports.
-    if (!result->IsSmi()) {
-      InstanceType type =
-          Handle<HeapObject>::cast(result)->map()->instance_type();
-      CHECK(type <= LAST_PRIMITIVE_TYPE || type >= FIRST_JS_RECEIVER_TYPE);
-    }
-
  } else {
    DCHECK(vector->GetKind(vector_slot) == Code::KEYED_LOAD_IC);
    KeyedLoadICNexus nexus(vector, vector_slot);
@@ -3126,17 +3115,6 @@ RUNTIME_FUNCTION(Runtime_LoadIC_MissFromStubFailure) {
    LoadIC ic(IC::EXTRA_CALL_FRAME, isolate, &nexus);
    ic.UpdateState(receiver, key);
    ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key));
-
-    // Sanity check: The loaded value must be a JS-exposed kind of object,
-    // not something internal (like a Map, or FixedArray). Check this here
-    // to chase after a rare but recurring crash bug.
-    // TODO(chromium:527994): Remove this when we have a few crash reports.
-    if (!result->IsSmi()) {
-      InstanceType type =
-          Handle<HeapObject>::cast(result)->map()->instance_type();
-      CHECK(type <= LAST_PRIMITIVE_TYPE || type >= FIRST_JS_RECEIVER_TYPE);
-    }
-
  } else {
    DCHECK(vector->GetKind(vector_slot) == Code::KEYED_LOAD_IC);
    KeyedLoadICNexus nexus(vector, vector_slot);

--- a/src/ic/ic.h
+++ b/src/ic/ic.h
@@ -324,16 +324,8 @@ class LoadIC : public IC {

  // Code generator routines.

-  // TODO(jkummerow): Remove the stress parameter and these stress constants
-  // when a crash bug is fixed.
-  static const int kStressNone = 0;
-  static const int kStressInit = 1;
-  static const int kStressDispatcher = 2;
-  static const int kStressBuiltin = 3;
-  static void GenerateInitialize(MacroAssembler* masm) {
-    GenerateMiss(masm, kStressInit);
-  }
-  static void GenerateMiss(MacroAssembler* masm, int stress = kStressNone);
+  static void GenerateInitialize(MacroAssembler* masm) { GenerateMiss(masm); }
+  static void GenerateMiss(MacroAssembler* masm);
  static void GenerateRuntimeGetProperty(MacroAssembler* masm,
                                         LanguageMode language_mode);
  static void GenerateNormal(MacroAssembler* masm, LanguageMode language_mode);

--- a/src/ic/mips/ic-mips.cc
+++ b/src/ic/mips/ic-mips.cc
@@ -306,7 +306,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
  // The return address is in ra.
  Isolate* isolate = masm->isolate();


--- a/src/ic/mips64/ic-mips64.cc
+++ b/src/ic/mips64/ic-mips64.cc
@@ -303,7 +303,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
  // The return address is on the stack.
  Isolate* isolate = masm->isolate();


--- a/src/ic/ppc/ic-ppc.cc
+++ b/src/ic/ppc/ic-ppc.cc
@@ -310,7 +310,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
  // The return address is in lr.
  Isolate* isolate = masm->isolate();


--- a/src/ic/x64/ic-x64.cc
+++ b/src/ic/x64/ic-x64.cc
@@ -667,7 +667,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
  // The return address is on the stack.

  Counters* counters = masm->isolate()->counters();
@@ -675,36 +675,6 @@ void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {

  LoadIC_PushArgs(masm);

-  Register receiver = LoadDescriptor::ReceiverRegister();
-
-  // Sanity check: The receiver must be a JS-exposed kind of object,
-  // not something internal (like a Map, or FixedArray). Check this here
-  // to chase after a rare but recurring crash bug.
-  // TODO(chromium:527994): Remove this when we have a few crash reports.
-
-  Label ok, sound_alarm;
-  __ JumpIfSmi(receiver, &ok, Label::kNear);
-  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
-  __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
-  __ j(equal, &sound_alarm);
-  __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
-  __ j(not_equal, &ok, Label::kNear);
-
-  // This cmpp instruction is only here to identify which of several kinds
-  // of code blocks embedded the MISS code. (handler, dispatcher).
-  __ cmpp(receiver, Immediate(stress));
-
-  __ bind(&sound_alarm);
-  __ Push(Smi::FromInt(0xaabbccdd));
-  __ Push(receiver);
-  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
-  __ Push(rbx);
-  __ movp(rbx, FieldOperand(receiver, JSObject::kPropertiesOffset));
-  __ Push(rbx);
-  __ int3();
-
-  __ bind(&ok);
-
  // Perform tail call to the entry.
  int arg_count = 4;
  __ TailCallRuntime(Runtime::kLoadIC_Miss, arg_count, 1);

--- a/src/ic/x87/ic-x87.cc
+++ b/src/ic/x87/ic-x87.cc
@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }


-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
  // Return address is on the stack.
  __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
  LoadIC_PushArgs(masm);

--- a/src/x64/code-stubs-x64.cc
+++ b/src/x64/code-stubs-x64.cc
@@ -4355,7 +4355,7 @@ void LoadICStub::GenerateImpl(MacroAssembler* masm, bool in_frame) {
      masm, Code::LOAD_IC, code_flags, receiver, name, feedback, no_reg);

  __ bind(&miss);
-  LoadIC::GenerateMiss(masm, LoadIC::kStressDispatcher);
+  LoadIC::GenerateMiss(masm);

  __ bind(&load_smi_map);
  __ LoadRoot(receiver_map, Heap::kHeapNumberMapRootIndex);