[turboprop] Don't use weak pointers across TryMigrateInstance calls

We shouldn't spill weak pointers onto the stack when calling functions that can trigger GC. DynamicMapChecks operator was using feedback loaded from the feedback vector across the TryMigrateInstance function call. The feedback can be a weak pointer to receiver map for monomorphic cases and TryMigrateInstance can trigger a GC. This cl fixes it by holding a holding a strong reference to the feedback. Bug: v8:10774,v8:10582,v8:9684 Change-Id: Ia36f4d8ad46421ae570f41439bc1f0875081deee Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2336804Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#69338}

[turboprop] Don't use weak pointers across TryMigrateInstance calls
We shouldn't spill weak pointers onto the stack when calling functions that can trigger GC. DynamicMapChecks operator was using feedback loaded from the feedback vector across the TryMigrateInstance function call. The feedback can be a weak pointer to receiver map for monomorphic cases and TryMigrateInstance can trigger a GC. This cl fixes it by holding a holding a strong reference to the feedback. Bug: v8:10774,v8:10582,v8:9684 Change-Id: Ia36f4d8ad46421ae570f41439bc1f0875081deee Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2336804Reviewed-by: Georg Neis <neis@chromium.org> Reviewed-by: Sathya Gunasekaran <gsathya@chromium.org> Commit-Queue: Mythri Alle <mythria@chromium.org> Cr-Commit-Position: refs/heads/master@{#69338}
d88df03a · Mythri A · Commit Bot · d84f900b · d88df03a · d88df03a
Commit d88df03a authored Aug 11, 2020 by Mythri A Committed by Commit Bot Aug 11, 2020
4 changed files
--- a/src/compiler/effect-control-linearizer.cc
+++ b/src/compiler/effect-control-linearizer.cc
--- a/src/compiler/graph-assembler.cc
+++ b/src/compiler/graph-assembler.cc
@@ -730,6 +730,15 @@ Node* GraphAssembler::DeoptimizeIf(DeoptimizeReason reason,
                       condition, frame_state, effect(), control()));
 }

+Node* GraphAssembler::DeoptimizeIf(DeoptimizeKind kind, DeoptimizeReason reason,
+                                   FeedbackSource const& feedback,
+                                   Node* condition, Node* frame_state,
+                                   IsSafetyCheck is_safety_check) {
+  return AddNode(graph()->NewNode(
+      common()->DeoptimizeIf(kind, reason, feedback, is_safety_check),
+      condition, frame_state, effect(), control()));
+}
+
 Node* GraphAssembler::DeoptimizeIfNot(DeoptimizeKind kind,
                                      DeoptimizeReason reason,
                                      FeedbackSource const& feedback,

--- a/src/compiler/graph-assembler.h
+++ b/src/compiler/graph-assembler.h
@@ -295,6 +295,10 @@ class V8_EXPORT_PRIVATE GraphAssembler {
      DeoptimizeReason reason, FeedbackSource const& feedback, Node* condition,
      Node* frame_state,
      IsSafetyCheck is_safety_check = IsSafetyCheck::kSafetyCheck);
+  Node* DeoptimizeIf(
+      DeoptimizeKind kind, DeoptimizeReason reason,
+      FeedbackSource const& feedback, Node* condition, Node* frame_state,
+      IsSafetyCheck is_safety_check = IsSafetyCheck::kSafetyCheck);
  Node* DeoptimizeIfNot(
      DeoptimizeKind kind, DeoptimizeReason reason,
      FeedbackSource const& feedback, Node* condition, Node* frame_state,

--- a/test/cctest/heap/test-heap.cc
+++ b/test/cctest/heap/test-heap.cc
@@ -1263,6 +1263,63 @@ HEAP_TEST(Regress10560) {
  }
 }

+// Tests that spill slots from optimized code don't have weak pointers.
+TEST(Regress10774) {
+  i::FLAG_allow_natives_syntax = true;
+  i::FLAG_dynamic_map_checks = true;
+#ifdef VERIFY_HEAP
+  i::FLAG_verify_heap = true;
+#endif
+
+  ManualGCScope manual_gc_scope;
+  CcTest::InitializeVM();
+  v8::Isolate* isolate = CcTest::isolate();
+  Isolate* i_isolate = CcTest::i_isolate();
+  Factory* factory = i_isolate->factory();
+  Heap* heap = i_isolate->heap();
+
+  {
+    v8::HandleScope scope(isolate);
+    // We want to generate optimized code with dynamic map check operator that
+    // migrates deprecated maps. To force this, we want the IC state to be
+    // monomorphic and the map in the feedback should be a migration target.
+    const char* source =
+        "function f(o) {"
+        "  return o.b;"
+        "}"
+        "var o = {a:10, b:20};"
+        "var o1 = {a:10, b:20};"
+        "var o2 = {a:10, b:20};"
+        "%PrepareFunctionForOptimization(f);"
+        "f(o);"
+        "o1.b = 10.23;"  // Deprecate O's map.
+        "f(o1);"         // Install new map in IC
+        "f(o);"          // Mark o's map as migration target
+        "%OptimizeFunctionOnNextCall(f);"
+        "f(o);";
+    CompileRun(source);
+
+    Handle<String> foo_name = factory->InternalizeUtf8String("f");
+    Handle<Object> func_value =
+        Object::GetProperty(i_isolate, i_isolate->global_object(), foo_name)
+            .ToHandleChecked();
+    CHECK(func_value->IsJSFunction());
+    Handle<JSFunction> fun = Handle<JSFunction>::cast(func_value);
+
+    Handle<String> obj_name = factory->InternalizeUtf8String("o2");
+    Handle<Object> obj_value =
+        Object::GetProperty(i_isolate, i_isolate->global_object(), obj_name)
+            .ToHandleChecked();
+
+    heap::SimulateFullSpace(heap->new_space());
+
+    Handle<JSObject> global(i_isolate->context().global_object(), i_isolate);
+    // O2 still has the deprecated map and the optimized code should migrate O2
+    // successfully. This shouldn't crash.
+    Execution::Call(i_isolate, fun, global, 1, &obj_value).ToHandleChecked();
+  }
+}
+
 #ifndef V8_LITE_MODE

 TEST(TestOptimizeAfterBytecodeFlushingCandidate) {