[turbofan] Skip data-flow analysis of code entry field.

This makes escape analysis skip analyzing the code entry field within JSFunction objects. Said field is an untagged pointer field and hence cannot be tracked by an ObjectState node. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-613494 BUG=chromium:613494 Review-Url: https://codereview.chromium.org/1997353002 Cr-Commit-Position: refs/heads/master@{#36436}

[turbofan] Skip data-flow analysis of code entry field.
This makes escape analysis skip analyzing the code entry field within JSFunction objects. Said field is an untagged pointer field and hence cannot be tracked by an ObjectState node. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-613494 BUG=chromium:613494 Review-Url: https://codereview.chromium.org/1997353002 Cr-Commit-Position: refs/heads/master@{#36436}
dbd7d5a5 · mstarzinger · Commit bot · bf705f0f · dbd7d5a5 · dbd7d5a5
Commit dbd7d5a5 authored May 23, 2016 by mstarzinger Committed by Commit bot May 23, 2016
Showing with 25 additions and 0 deletions

escape-analysis.cc src/compiler/escape-analysis.cc +10 -0

escape-analysis.h src/compiler/escape-analysis.h +1 -0

regress-crbug-613494.js test/mjsunit/regress/regress-crbug-613494.js +14 -0

No files found.
--- a/src/compiler/escape-analysis.cc
+++ b/src/compiler/escape-analysis.cc
@@ -849,6 +849,7 @@ void EscapeStatusAnalysis::DebugPrint() {
 EscapeAnalysis::EscapeAnalysis(Graph* graph, CommonOperatorBuilder* common,
                               Zone* zone)
    : zone_(zone),
+      slot_not_analyzed_(graph->NewNode(common->NumberConstant(0x1c0debad))),
      common_(common),
      status_analysis_(new (zone) EscapeStatusAnalysis(this, graph, zone)),
      virtual_states_(zone),
@@ -1460,6 +1461,15 @@ void EscapeAnalysis::ProcessStoreField(Node* node) {
  if (obj && obj->IsTracked() &&
      static_cast<size_t>(offset) < obj->field_count()) {
    Node* val = ResolveReplacement(NodeProperties::GetValueInput(node, 1));
+    // TODO(mstarzinger): The following is a workaround to not track the code
+    // entry field in virtual JSFunction objects. We only ever store the inner
+    // pointer into the compile lazy stub in this field and the deoptimizer has
+    // this assumption hard-coded in {TranslatedState::MaterializeAt} as well.
+    if (val->opcode() == IrOpcode::kInt32Constant ||
+        val->opcode() == IrOpcode::kInt64Constant) {
+      DCHECK_EQ(JSFunction::kCodeEntryOffset, FieldAccessOf(node->op()).offset);
+      val = slot_not_analyzed_;
+    }
    if (obj->GetField(offset) != val) {
      obj = CopyForModificationAt(obj, state, node);
      obj->SetField(offset, val);

--- a/src/compiler/escape-analysis.h
+++ b/src/compiler/escape-analysis.h
@@ -70,6 +70,7 @@ class EscapeAnalysis {
  CommonOperatorBuilder* common() const { return common_; }

  Zone* const zone_;
+  Node* const slot_not_analyzed_;
  CommonOperatorBuilder* const common_;
  EscapeStatusAnalysis* status_analysis_;
  ZoneVector<VirtualState*> virtual_states_;

--- a/test/mjsunit/regress/regress-crbug-613494.js
+++ b/test/mjsunit/regress/regress-crbug-613494.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-escape --noanalyze-environment-liveness
+
+function f() {
+  var bound = 0;
+  function g() { return bound }
+}
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();