Fix resuming generator marked for optimization.

This fixes a corner case where the generator function of a suspended generator has been marked for optimization. We assume the optimization approach will cause a bailout because generators are not optimized. But resuming is more resilient by always activating the unoptimized code. R=neis@chromium.org,bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-513471 BUG=chromium:513471 LOG=n Review URL: https://codereview.chromium.org/1856683002 Cr-Commit-Position: refs/heads/master@{#35234}

Fix resuming generator marked for optimization.
This fixes a corner case where the generator function of a suspended generator has been marked for optimization. We assume the optimization approach will cause a bailout because generators are not optimized. But resuming is more resilient by always activating the unoptimized code. R=neis@chromium.org,bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-513471 BUG=chromium:513471 LOG=n Review URL: https://codereview.chromium.org/1856683002 Cr-Commit-Position: refs/heads/master@{#35234}
6ab9c185 · mstarzinger · Commit bot · 2b9c99a8 · 6ab9c185 · 6ab9c185
Commit 6ab9c185 authored Apr 04, 2016 by mstarzinger Committed by Commit bot Apr 04, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 6 deletions

runtime-generator.cc src/runtime/runtime-generator.cc +8 -6

regress-crbug-513471.js test/mjsunit/regress/regress-crbug-513471.js +10 -0

No files found.
--- a/src/runtime/runtime-generator.cc
+++ b/src/runtime/runtime-generator.cc
@@ -43,6 +43,8 @@ RUNTIME_FUNCTION(Runtime_SuspendJSGeneratorObject) {
  JavaScriptFrame* frame = stack_iterator.frame();
  RUNTIME_ASSERT(frame->function()->shared()->is_generator());
  DCHECK_EQ(frame->function(), generator_object->function());
+  DCHECK(frame->function()->shared()->is_compiled());
+  DCHECK(!frame->function()->IsOptimized());

  // The caller should have saved the context and continuation already.
  DCHECK_EQ(generator_object->context(), Context::cast(frame->context()));
@@ -88,18 +90,18 @@ RUNTIME_FUNCTION(Runtime_ResumeJSGeneratorObject) {
  JavaScriptFrame* frame = stack_iterator.frame();

  DCHECK_EQ(frame->function(), generator_object->function());
-  DCHECK(frame->function()->is_compiled());
+  DCHECK(frame->function()->shared()->is_compiled());
+  DCHECK(!frame->function()->IsOptimized());

  STATIC_ASSERT(JSGeneratorObject::kGeneratorExecuting < 0);
  STATIC_ASSERT(JSGeneratorObject::kGeneratorClosed == 0);

-  Address pc = generator_object->function()->code()->instruction_start();
+  Code* code = generator_object->function()->shared()->code();
  int offset = generator_object->continuation();
-  DCHECK(offset > 0);
-  frame->set_pc(pc + offset);
+  DCHECK_GT(offset, 0);
+  frame->set_pc(code->instruction_start() + offset);
  if (FLAG_enable_embedded_constant_pool) {
-    frame->set_constant_pool(
-        generator_object->function()->code()->constant_pool());
+    frame->set_constant_pool(code->constant_pool());
  }
  generator_object->set_continuation(JSGeneratorObject::kGeneratorExecuting);


--- a/test/mjsunit/regress/regress-crbug-513471.js
+++ b/test/mjsunit/regress/regress-crbug-513471.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var g = (function*(){});
+var f = g();
+%OptimizeFunctionOnNextCall(g);
+f.next();