[TurboFan] Check deoptimized status on CodeRef

When making inlining decisions, we are interested in
CodeRef::inlined_bytecode_size(). Previously, we gated a check of this
value on predicate JSFunctionRef::HasAttachedOptimizedCode(), but we
removed this predicate because it only recorded a value seen at
serialization time.

Now, we look at attached CodeRefs "live," which means we might discover
that the code is now optimized, where it wasn't at serialization time.
This affects the inlining decision. This CL adds an additional check
before returning a non-zero inlined_bytecode_size that the code object
hasn't (already) been deoptimized. It's logical to do this, because the
inlined_bytecode_size is actually a stale value at this point.

Bug: chromium:1180749
Change-Id: I4d55132c5b47083413d3c6b1d934bfce6b550709
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2712565
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#72960}

src/compiler/heap-refs.h

@@ -1011,7 +1011,7 @@ class CodeRef : public HeapObjectRef {
 
   Handle<Code> object() const;
 
-  unsigned inlined_bytecode_size() const;
+  unsigned GetInlinedBytecodeSize() const;
 };
 
 class InternalizedStringRef : public StringRef {

src/compiler/js-heap-broker.cc

@@ -2170,7 +2170,10 @@ class CodeData : public HeapObjectData {
  public:
   CodeData(JSHeapBroker* broker, ObjectData** storage, Handle<Code> object)
       : HeapObjectData(broker, storage, object),
-        inlined_bytecode_size_(object->inlined_bytecode_size()) {
+        inlined_bytecode_size_(object->inlined_bytecode_size() > 0 &&
+                                       !object->marked_for_deoptimization()
+                                   ? object->inlined_bytecode_size()
+                                   : 0) {
     DCHECK(!FLAG_turbo_direct_heap_access);
   }
 
@@ -3559,8 +3562,6 @@ BIMODAL_ACCESSOR(Map, Object, GetConstructor)
 BIMODAL_ACCESSOR_WITH_FLAG(Map, HeapObject, GetBackPointer)
 BIMODAL_ACCESSOR_C(Map, bool, is_abandoned_prototype_map)
 
-BIMODAL_ACCESSOR_C(Code, unsigned, inlined_bytecode_size)
-
 #define DEF_NATIVE_CONTEXT_ACCESSOR(type, name) \
   BIMODAL_ACCESSOR(NativeContext, type, name)
 BROKER_NATIVE_CONTEXT_FIELDS(DEF_NATIVE_CONTEXT_ACCESSOR)
@@ -5567,6 +5568,20 @@ TemplateObjectFeedback const& ProcessedFeedback::AsTemplateObject() const {
   return *static_cast<TemplateObjectFeedback const*>(this);
 }
 
+unsigned CodeRef::GetInlinedBytecodeSize() const {
+  if (data_->should_access_heap()) {
+    unsigned value = object()->inlined_bytecode_size();
+    if (value > 0) {
+      // Don't report inlined bytecode size if the code object was already
+      // deoptimized.
+      value = object()->marked_for_deoptimization() ? 0 : value;
+    }
+    return value;
+  }
+
+  return ObjectRef::data()->AsCode()->inlined_bytecode_size();
+}
+
 #undef BIMODAL_ACCESSOR
 #undef BIMODAL_ACCESSOR_B
 #undef BIMODAL_ACCESSOR_C

src/compiler/js-inlining-heuristic.cc

@@ -204,7 +204,7 @@ Reduction JSInliningHeuristic::Reduce(Node* node) {
       unsigned inlined_bytecode_size = 0;
       if (candidate.functions[i].has_value()) {
         JSFunctionRef function = candidate.functions[i].value();
-        inlined_bytecode_size = function.code().inlined_bytecode_size();
+        inlined_bytecode_size = function.code().GetInlinedBytecodeSize();
         candidate.total_size += inlined_bytecode_size;
       }
       candidate_is_small = candidate_is_small &&
@@ -790,7 +790,7 @@ void JSInliningHeuristic::PrintCandidates() {
         if (candidate.functions[i].has_value()) {
           JSFunctionRef function = candidate.functions[i].value();
           unsigned inlined_bytecode_size =
-              function.code().inlined_bytecode_size();
+              function.code().GetInlinedBytecodeSize();
           if (inlined_bytecode_size > 0) {
             os << ", existing opt code's inlined bytecode size: "
                << inlined_bytecode_size;