[objects] Relax JSBoundFunction verification.

The heap verifier does certain invariant checks on JSBoundFunction objects, i.e. it assumes that the bound_target_function is a proper JSReceiver. The Deoptimizer cannot maintain this invariant, because it first allocates the JSBoundFunction in an invalid state and only afterwards fix up the state. But the GC (and thus the heap verifier) can observe this invalid state why materializing field values, so we need to relax the verification slightly. BUG=chromium:729573,chromium:732176 R=mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2933283002 Cr-Commit-Position: refs/heads/master@{#45988}

[objects] Relax JSBoundFunction verification.
The heap verifier does certain invariant checks on JSBoundFunction objects, i.e. it assumes that the bound_target_function is a proper JSReceiver. The Deoptimizer cannot maintain this invariant, because it first allocates the JSBoundFunction in an invalid state and only afterwards fix up the state. But the GC (and thus the heap verifier) can observe this invalid state why materializing field values, so we need to relax the verification slightly. BUG=chromium:729573,chromium:732176 R=mstarzinger@chromium.org Review-Url: https://codereview.chromium.org/2933283002 Cr-Commit-Position: refs/heads/master@{#45988}
a9b9c7ab · bmeurer · Commit Bot · 8a32788f · a9b9c7ab · a9b9c7ab
Commit a9b9c7ab authored Jun 19, 2017 by bmeurer Committed by Commit Bot Jun 19, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 3 deletions

objects-debug.cc src/objects-debug.cc +6 -3

objects-inl.h src/objects-inl.h +3 -0

objects.h src/objects.h +1 -0

No files found.
--- a/src/objects-debug.cc
+++ b/src/objects-debug.cc
@@ -687,11 +687,14 @@ void JSBoundFunction::JSBoundFunctionVerify() {
  VerifyObjectField(kBoundThisOffset);
  VerifyObjectField(kBoundTargetFunctionOffset);
  VerifyObjectField(kBoundArgumentsOffset);
-  CHECK(bound_target_function()->IsCallable());
  CHECK(IsCallable());
-  CHECK_EQ(IsConstructor(), bound_target_function()->IsConstructor());
-}
+  Isolate* const isolate = GetIsolate();
+  if (!raw_bound_target_function()->IsUndefined(isolate)) {
+    CHECK(bound_target_function()->IsCallable());
+    CHECK_EQ(IsConstructor(), bound_target_function()->IsConstructor());
+  }
+}
 void JSFunction::JSFunctionVerify() {
  CHECK(IsJSFunction());

--- a/src/objects-inl.h
+++ b/src/objects-inl.h
@@ -4505,6 +4505,9 @@ Handle<Map> Map::CopyInitialMap(Handle<Map> map) {
                        map->unused_property_fields());
 }
+Object* JSBoundFunction::raw_bound_target_function() const {
+  return READ_FIELD(this, kBoundTargetFunctionOffset);
+}
 ACCESSORS(JSBoundFunction, bound_target_function, JSReceiver,
          kBoundTargetFunctionOffset)

--- a/src/objects.h
+++ b/src/objects.h
@@ -4947,6 +4947,7 @@ class Module : public Struct {
 class JSBoundFunction : public JSObject {
 public:
  // [bound_target_function]: The wrapped function object.
+  inline Object* raw_bound_target_function() const;
  DECL_ACCESSORS(bound_target_function, JSReceiver)
  // [bound_this]: The value that is always passed as the this value when