Fix terrible interaction with code flushing.

This fixes a terrible interaction of code flushing and the clearing of
optimized code maps hanging off a SharedFunctionInfo. The following is
what happened:
1) Incremental marking cleared map in SharedFunctionInfo s, however it
   was not enqueued as a flushing candidate because one JSFunction f1
   still had optimized code.
2) Deoptimization of f1 made s eligible for code flushing.
3) Optimization of f2 added new entry to optimized code map of s.
4) The JSFunction f2 became unreachable and hence is never marked.
5) Incremental marking now visits f1, finds it eligible for flushing,
   also s is eligible for flushing, both are enqueued.
6) Marking finishes, code flusher clears f1 and s, but the optimized
   code map of s still contains an entry.
7) Boom!

R=ulan@chromium.org,hpayer@chromium.org
TEST=mjsunit/es6/generators-iteration
BUG=v8:3803
LOG=N

Review URL: https://codereview.chromium.org/1197713004

Cr-Commit-Position: refs/heads/master@{#29177}

src/compiler.cc

@@ -705,7 +705,10 @@ MUST_USE_RESULT static MaybeHandle<Code> GetCodeFromOptimizedCodeMap(
       }
       FixedArray* literals = shared->GetLiteralsFromOptimizedCodeMap(index);
       if (literals != NULL) function->set_literals(literals);
-      return Handle<Code>(shared->GetCodeFromOptimizedCodeMap(index));
+      Code* code = shared->GetCodeFromOptimizedCodeMap(index);
+      DCHECK(!code->marked_for_deoptimization());
+      DCHECK(function->shared()->is_compiled());
+      return Handle<Code>(code);
     }
   }
   return MaybeHandle<Code>();

src/factory.cc

@@ -1392,6 +1392,7 @@ Handle<JSFunction> Factory::NewFunctionFromSharedFunctionInfo(
     if (literals != NULL) result->set_literals(literals);
     Code* code = info->GetCodeFromOptimizedCodeMap(index);
     DCHECK(!code->marked_for_deoptimization());
+    DCHECK(result->shared()->is_compiled());
     result->ReplaceCode(code);
   }
 

src/heap/mark-compact.cc

@@ -898,6 +898,11 @@ void CodeFlusher::ProcessJSFunctionCandidates() {
         shared->ShortPrint();
         PrintF(" - age: %d]\n", code->GetAge());
       }
+      // Always flush the optimized code map if requested by flag.
+      if (FLAG_cache_optimized_code && FLAG_flush_optimized_code_cache &&
+          !shared->optimized_code_map()->IsSmi()) {
+        shared->ClearOptimizedCodeMap();
+      }
       shared->set_code(lazy_compile);
       candidate->set_code(lazy_compile);
     } else {
@@ -941,6 +946,11 @@ void CodeFlusher::ProcessSharedFunctionInfoCandidates() {
         candidate->ShortPrint();
         PrintF(" - age: %d]\n", code->GetAge());
       }
+      // Always flush the optimized code map if requested by flag.
+      if (FLAG_cache_optimized_code && FLAG_flush_optimized_code_cache &&
+          !candidate->optimized_code_map()->IsSmi()) {
+        candidate->ClearOptimizedCodeMap();
+      }
       candidate->set_code(lazy_compile);
     }
 

test/mjsunit/mjsunit.status

@@ -295,9 +295,6 @@
   'regress/regress-3717': [SKIP],
   # Issue 478788.
   'es7/object-observe': [SKIP],
-
-  # Issue 3803.
-  'es6/generators-iteration': [PASS, FLAKY],
 }],  # 'gc_stress == True'
 
 ##############################################################################