Commit 7e0f961e authored by Simon Zünd's avatar Simon Zünd Committed by Commit Bot

[deoptimizer] Handle continuation frames that are not preceded by adapter frames

This CL teaches the deoptimizer about JavaScriptBuiltinContinuation
frames that are not preceded by argument adapter frames. This pattern
is used when calling C++ API functions from TurboFan.

This CL fixes a crash when the deoptimizer encounters the pattern
described above. The crash was caused when the deoptimizer tried to
read the arguments of the continuation frame. As no adapter frame
was present, the argument count was read from the SharedFunctionInfo
which had the kDontAdaptArgumentsSentinel value. This translated to
an argument count of ~65000 later down the line, which caused a
FATAL error when the deoptimizer tried to re-construct ~65000
non-existent values.

Bug: chromium:980529
Change-Id: Id2de3bf7607102ab5a16de344c649015e968b185
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1687417Reviewed-by: 's avatarBenedikt Meurer <bmeurer@chromium.org>
Reviewed-by: 's avatarSigurd Schneider <sigurds@chromium.org>
Commit-Queue: Simon Zünd <szuend@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62547}
parent ec53cff9
......@@ -3892,8 +3892,32 @@ TranslatedFrame* TranslatedState::GetArgumentsInfoFromJSFrameIndex(
*args_count = frames_[i - 1].height();
return &(frames_[i - 1]);
}
*args_count =
frames_[i].shared_info()->internal_formal_parameter_count() + 1;
// JavaScriptBuiltinContinuation frames that are not preceeded by
// a arguments adapter frame are currently only used by C++ API calls
// from TurboFan. Calls to C++ API functions from TurboFan need
// a special marker frame state, otherwise the API call wouldn't
// be shown in a stack trace.
if (frames_[i].kind() ==
TranslatedFrame::kJavaScriptBuiltinContinuation &&
frames_[i].shared_info()->internal_formal_parameter_count() ==
SharedFunctionInfo::kDontAdaptArgumentsSentinel) {
DCHECK(frames_[i].shared_info()->IsApiFunction());
// The argument count for this special case is always the second
// to last value in the TranslatedFrame. It should also always be
// {1}, as the GenericLazyDeoptContinuation builtin only has one
// argument (the receiver).
const int height = frames_[i].height();
Object argc_object = frames_[i].ValueAt(height - 1)->GetRawValue();
CHECK(argc_object.IsSmi());
*args_count = Smi::ToInt(argc_object);
DCHECK_EQ(*args_count, 1);
} else {
*args_count =
frames_[i].shared_info()->internal_formal_parameter_count() + 1;
}
return &(frames_[i]);
}
}
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt --no-always-opt
const a = {toString: () => {
console.log("print arguments", print.arguments);
}};
function g(x) {
print(x);
}
%PrepareFunctionForOptimization(g);
g(a);
g(a);
%OptimizeFunctionOnNextCall(g);
g(a);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment