Skip to content

V
V8
Commit c8d1ca8a authored by Seth Brenith's avatar Seth Brenith Committed by V8 LUCI CQ
Browse files
Options

Fix crash in background merging of deserialized scripts 

BackgroundMergeTask::CompleteMergeInForeground contained an incorrect
assumption that some SharedFunctionInfos would have bytecode arrays.

Bug: v8:12808, chromium:1360024
Change-Id: I42ca22fc3a4412aea5e5a433e63c685eaf2af242
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3888198Reviewed-by: 's avatarLeszek Swirski <leszeks@chromium.org>
Commit-Queue: Seth Brenith <seth.brenith@microsoft.com>
Cr-Commit-Position: refs/heads/main@{#83133}
parent 9c95863d
Hide whitespace changes
Inline Side-by-side
Showing with 22 additions and 3 deletions
src/codegen/compiler.cc
View file @ c8d1ca8a
......@@ -2099,11 +2099,15 @@ Handle<SharedFunctionInfo> BackgroundMergeTask::CompleteMergeInForeground(
// pools is required.
if (forwarder.HasAnythingToForward()) {
for (Handle<SharedFunctionInfo> new_sfi : used_new_sfis_) {
forwarder.AddBytecodeArray(new_sfi->GetBytecodeArray(isolate));
if (new_sfi->HasBytecodeArray(isolate)) {
forwarder.AddBytecodeArray(new_sfi->GetBytecodeArray(isolate));
}
}
for (const auto& new_compiled_data : new_compiled_data_for_cached_sfis_) {
forwarder.AddBytecodeArray(
new_compiled_data.cached_sfi->GetBytecodeArray(isolate));
if (new_compiled_data.cached_sfi->HasBytecodeArray(isolate)) {
forwarder.AddBytecodeArray(
new_compiled_data.cached_sfi->GetBytecodeArray(isolate));
}
}
forwarder.IterateAndForwardPointers();
}
......
test/unittests/api/deserialize-unittest.cc
View file @ c8d1ca8a
......@@ -617,4 +617,19 @@ TEST_F(MergeDeserializedCodeTest, MainThreadReMerge) {
true); // lazy_should_be_compiled
}
TEST_F(MergeDeserializedCodeTest, Regress1360024) {
// This test case triggers a re-merge on the main thread, similar to
// MainThreadReMerge. However, it does not retain the lazy function's SFI at
// any step, which causes the merge to use the SFI from the newly deserialized
// script for that function. This exercises a bug in the original
// implementation where the re-merging on the main thread would crash if the
// merge algorithm had selected any uncompiled SFIs from the new script.
TestOffThreadMerge(kToplevelAndEager, // retained_before_background_merge
kToplevelAndEager, // aged_before_background_merge
true, // run_code_after_background_merge
kToplevelAndEager, // retained_after_background_merge
kToplevelSfiFlag, // aged_after_background_merge
true); // lazy_should_be_compiled
}
} // namespace v8
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment