[interpreter] Fix stack unwinding of deoptimized frames.

This fixes stack unwinding to always recompute the stack pointer for interpreted frames. For frames materialized by the deoptimizer we elide the handler frame in between, hence arguments being pushed on the stack will no longer be pushed into the handler frame but into the interpreted frame directly. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-662830 BUG=chromium:662830 Review-Url: https://codereview.chromium.org/2517203003 Cr-Commit-Position: refs/heads/master@{#41170}

[interpreter] Fix stack unwinding of deoptimized frames.
This fixes stack unwinding to always recompute the stack pointer for interpreted frames. For frames materialized by the deoptimizer we elide the handler frame in between, hence arguments being pushed on the stack will no longer be pushed into the handler frame but into the interpreted frame directly. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-662830 BUG=chromium:662830 Review-Url: https://codereview.chromium.org/2517203003 Cr-Commit-Position: refs/heads/master@{#41170}
a90671f1 · mstarzinger · Commit bot · 84c9360b · a90671f1 · a90671f1
Commit a90671f1 authored Nov 22, 2016 by mstarzinger Committed by Commit bot Nov 22, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 1 deletion

isolate.cc src/isolate.cc +11 -1

regress-crbug-662830.js test/mjsunit/regress/regress-crbug-662830.js +19 -0

No files found.
--- a/src/isolate.cc
+++ b/src/isolate.cc
@@ -1269,9 +1269,19 @@ Object* Isolate::UnwindAndFindHandler() {
    // For interpreted frame we perform a range lookup in the handler table.
    if (frame->is_interpreted() && catchable_by_js) {
      InterpretedFrame* js_frame = static_cast<InterpretedFrame*>(frame);
+      int register_slots = js_frame->GetBytecodeArray()->register_count();
      int context_reg = 0;  // Will contain register index holding context.
      offset = js_frame->LookupExceptionHandlerInTable(&context_reg, nullptr);
      if (offset >= 0) {
+        // Compute the stack pointer from the frame pointer. This ensures that
+        // argument slots on the stack are dropped as returning would.
+        // Note: This is only needed for interpreted frames that have been
+        //       materialized by the deoptimizer. If there is a handler frame
+        //       in between then {frame->sp()} would already be correct.
+        Address return_sp = frame->fp() -
+                            InterpreterFrameConstants::kFixedFrameSizeFromFp -
+                            register_slots * kPointerSize;
+
        // Patch the bytecode offset in the interpreted frame to reflect the
        // position of the exception handler. The special builtin below will
        // take care of continuing to dispatch at that position. Also restore
@@ -1282,7 +1292,7 @@ Object* Isolate::UnwindAndFindHandler() {

        // Gather information from the frame.
        code = *builtins()->InterpreterEnterBytecodeDispatch();
-        handler_sp = frame->sp();
+        handler_sp = return_sp;
        handler_fp = frame->fp();
        break;
      }

--- a/test/mjsunit/regress/regress-crbug-662830.js
+++ b/test/mjsunit/regress/regress-crbug-662830.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() {
+  %_DeoptimizeNow();
+  throw 1;
+}
+
+function g() {
+  try { f(); } catch(e) { }
+  for (var i = 0; i < 3; ++i) if (i === 1) %OptimizeOsr();
+  %_DeoptimizeNow();
+}
+
+%OptimizeFunctionOnNextCall(g);
+g();