Skip to content

V
V8
Commit 45fc8f4c authored by mvstanton's avatar mvstanton Committed by Commit bot
Browse files
Options

Bugfix: type feedback vector should allocate *before* changing internal state. 

An allocation can reenter type feedback code because of a triggered GC. Make
sure the vector state remains coherent at these points.

BUG=568524
LOG=N

Review URL: https://codereview.chromium.org/1517613003

Cr-Commit-Position: refs/heads/master@{#32766}
parent 1c5df4fb
Hide whitespace changes
Inline Side-by-side
Showing with 4 additions and 4 deletions
src/type-feedback-vector.cc
View file @ 45fc8f4c
...@@ -543,8 +543,8 @@ void KeyedLoadICNexus::ConfigureMonomorphic(Handle<Name> name, ...@@ -543,8 +543,8 @@ void KeyedLoadICNexus::ConfigureMonomorphic(Handle<Name> name,
SetFeedback(*cell); SetFeedback(*cell);
SetFeedbackExtra(*handler); SetFeedbackExtra(*handler);
} else { } else {
SetFeedback(*name);
Handle<FixedArray> array = EnsureExtraArrayOfSize(2); Handle<FixedArray> array = EnsureExtraArrayOfSize(2);
SetFeedback(*name);
array->set(0, *cell); array->set(0, *cell);
array->set(1, *handler); array->set(1, *handler);
} }
...@@ -567,8 +567,8 @@ void KeyedStoreICNexus::ConfigureMonomorphic(Handle<Name> name, ...@@ -567,8 +567,8 @@ void KeyedStoreICNexus::ConfigureMonomorphic(Handle<Name> name,
SetFeedback(*cell); SetFeedback(*cell);
SetFeedbackExtra(*handler); SetFeedbackExtra(*handler);
} else { } else {
SetFeedback(*name);
Handle<FixedArray> array = EnsureExtraArrayOfSize(2); Handle<FixedArray> array = EnsureExtraArrayOfSize(2);
SetFeedback(*name);
array->set(0, *cell); array->set(0, *cell);
array->set(1, *handler); array->set(1, *handler);
} }
...@@ -597,8 +597,8 @@ void KeyedLoadICNexus::ConfigurePolymorphic(Handle<Name> name, ...@@ -597,8 +597,8 @@ void KeyedLoadICNexus::ConfigurePolymorphic(Handle<Name> name,
SetFeedbackExtra(*TypeFeedbackVector::UninitializedSentinel(GetIsolate()), SetFeedbackExtra(*TypeFeedbackVector::UninitializedSentinel(GetIsolate()),
SKIP_WRITE_BARRIER); SKIP_WRITE_BARRIER);
} else { } else {
SetFeedback(*name);
array = EnsureExtraArrayOfSize(receiver_count * 2); array = EnsureExtraArrayOfSize(receiver_count * 2);
SetFeedback(*name);
} }
InstallHandlers(array, maps, handlers); InstallHandlers(array, maps, handlers);
...@@ -627,8 +627,8 @@ void KeyedStoreICNexus::ConfigurePolymorphic(Handle<Name> name, ...@@ -627,8 +627,8 @@ void KeyedStoreICNexus::ConfigurePolymorphic(Handle<Name> name,
SetFeedbackExtra(*TypeFeedbackVector::UninitializedSentinel(GetIsolate()), SetFeedbackExtra(*TypeFeedbackVector::UninitializedSentinel(GetIsolate()),
SKIP_WRITE_BARRIER); SKIP_WRITE_BARRIER);
} else { } else {
SetFeedback(*name);
array = EnsureExtraArrayOfSize(receiver_count * 2); array = EnsureExtraArrayOfSize(receiver_count * 2);
SetFeedback(*name);
} }
InstallHandlers(array, maps, handlers); InstallHandlers(array, maps, handlers);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment