[turbofan] Fix memory corruption with VirtualBoundFunctions

Bug: chromium:1018565 Change-Id: I72d41573a9a8c2f1a235ff50e918f89b1dc3f585 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879904 Commit-Queue: Maya Lekova <mslekova@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#64588}

[turbofan] Fix memory corruption with VirtualBoundFunctions
Bug: chromium:1018565 Change-Id: I72d41573a9a8c2f1a235ff50e918f89b1dc3f585 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1879904 Commit-Queue: Maya Lekova <mslekova@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#64588}
48fb778e · Maya Lekova · Commit Bot · d4574d18 · 48fb778e · 48fb778e
Commit 48fb778e authored Oct 28, 2019 by Maya Lekova Committed by Commit Bot Oct 28, 2019
Showing with 36 additions and 6 deletions

serializer-for-background-compilation.cc src/compiler/serializer-for-background-compilation.cc +16 -6

regress-bound-functions.js test/mjsunit/compiler/regress-bound-functions.js +20 -0

No files found.
--- a/src/compiler/serializer-for-background-compilation.cc
+++ b/src/compiler/serializer-for-background-compilation.cc
@@ -734,14 +734,11 @@ void Hints::AddFromChildSerializer(const Hints& other, Zone* zone) {
  for (auto x : other.constants()) AddConstant(x, zone);
  for (auto x : other.maps()) AddMap(x, zone);
  for (auto x : other.virtual_contexts()) AddVirtualContext(x, zone);
-  for (auto x : other.virtual_bound_functions()) {
-    AddVirtualBoundFunction(x, zone);
-  }

  // Adding hints from a child serializer run means copying data out from
-  // a zone that's being destroyed. FunctionBlueprints have zone allocated
-  // data, so we've got to make a deep copy to eliminate traces of the
-  // dying zone.
+  // a zone that's being destroyed. FunctionBlueprints and VirtualBoundFunction
+  // have zone allocated data, so we've got to make a deep copy to eliminate
+  // traces of the dying zone.
  for (auto x : other.function_blueprints()) {
    Hints new_blueprint_hints;
    new_blueprint_hints.AddFromChildSerializer(x.context_hints(), zone);
@@ -749,6 +746,19 @@ void Hints::AddFromChildSerializer(const Hints& other, Zone* zone) {
                                    new_blueprint_hints);
    AddFunctionBlueprint(new_blueprint, zone);
  }
+  for (auto x : other.virtual_bound_functions()) {
+    Hints new_target_hints;
+    new_target_hints.AddFromChildSerializer(x.bound_target, zone);
+    HintsVector new_arguments_hints(zone);
+    for (auto hint : x.bound_arguments) {
+      Hints new_arg_hints;
+      new_arg_hints.AddFromChildSerializer(hint, zone);
+      new_arguments_hints.push_back(new_arg_hints);
+    }
+    VirtualBoundFunction new_bound_function(new_target_hints,
+                                            new_arguments_hints);
+    AddVirtualBoundFunction(new_bound_function, zone);
+  }
 }

 bool Hints::IsEmpty() const {

--- a/test/mjsunit/compiler/regress-bound-functions.js
+++ b/test/mjsunit/compiler/regress-bound-functions.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  return Array.prototype.sort.bind([]);
+}
+
+function bar() {
+  return foo();
+}
+
+%PrepareFunctionForOptimization(foo);
+%PrepareFunctionForOptimization(bar);
+bar();
+bar();
+%OptimizeFunctionOnNextCall(bar);
+bar();