Commit dd740bc2 authored by Fanchen Kong's avatar Fanchen Kong Committed by V8 LUCI CQ

Fix CSA_ASSERT failure in CollectCallFeedback

This failure comes as the feedback is cleared but the CallFeedbackContent field remain unchanged.

Bug: v8:11851
Change-Id: I75a0acad74dcaab1feafe97779e03caa8b7833de
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2948426
Commit-Queue: Fanchen Kong <fanchen.kong@intel.com>
Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
Reviewed-by: 's avatarRoss McIlroy <rmcilroy@chromium.org>
Cr-Commit-Position: refs/heads/master@{#75090}
parent 6ec261dc
...@@ -108,10 +108,15 @@ macro CollectCallFeedback( ...@@ -108,10 +108,15 @@ macro CollectCallFeedback(
if (IsMegamorphic(feedback)) return; if (IsMegamorphic(feedback)) return;
if (IsUninitialized(feedback)) goto TryInitializeAsMonomorphic; if (IsUninitialized(feedback)) goto TryInitializeAsMonomorphic;
// If cleared, we have a new chance to become monomorphic.
const feedbackValue: HeapObject =
MaybeObjectToStrong(feedback) otherwise TryReinitializeAsMonomorphic;
if (FeedbackValueIsReceiver(feedbackVector, slotId) && if (FeedbackValueIsReceiver(feedbackVector, slotId) &&
TaggedEqualPrototypeApplyFunction(maybeTarget)) { TaggedEqualPrototypeApplyFunction(maybeTarget)) {
// If the Receiver is recorded and the target is Function.prototype.apply, // If the Receiver is recorded and the target is
// check whether we can stay monomorphic based on the receiver. // Function.prototype.apply, check whether we can stay monomorphic based
// on the receiver.
if (IsMonomorphic(feedback, RunLazy(maybeReceiver))) { if (IsMonomorphic(feedback, RunLazy(maybeReceiver))) {
return; return;
} else { } else {
...@@ -124,10 +129,6 @@ macro CollectCallFeedback( ...@@ -124,10 +129,6 @@ macro CollectCallFeedback(
} }
} }
// If cleared, we have a new chance to become monomorphic.
const feedbackValue: HeapObject =
MaybeObjectToStrong(feedback) otherwise TryInitializeAsMonomorphic;
// Try transitioning to a feedback cell. // Try transitioning to a feedback cell.
// Check if {target}s feedback cell matches the {feedbackValue}. // Check if {target}s feedback cell matches the {feedbackValue}.
const target = const target =
...@@ -146,6 +147,10 @@ macro CollectCallFeedback( ...@@ -146,6 +147,10 @@ macro CollectCallFeedback(
StoreWeakReferenceInFeedbackVector(feedbackVector, slotId, feedbackCell); StoreWeakReferenceInFeedbackVector(feedbackVector, slotId, feedbackCell);
ReportFeedbackUpdate(feedbackVector, slotId, 'Call:FeedbackVectorCell'); ReportFeedbackUpdate(feedbackVector, slotId, 'Call:FeedbackVectorCell');
} label TryReinitializeAsMonomorphic {
SetCallFeedbackContent(
feedbackVector, slotId, CallFeedbackContent::kTarget);
goto TryInitializeAsMonomorphic;
} label TryInitializeAsMonomorphic { } label TryInitializeAsMonomorphic {
let recordedFunction = maybeTarget; let recordedFunction = maybeTarget;
if (TaggedEqualPrototypeApplyFunction(maybeTarget)) { if (TaggedEqualPrototypeApplyFunction(maybeTarget)) {
......
// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --expose-gc
function v0(v1) {
v1.apply();
}
function v2() {
function v3() {
}
%PrepareFunctionForOptimization(v0);
v0(v3);
%OptimizeFunctionOnNextCall(v0);
v0(v3);
}
v2();
gc();
assertThrows(function () { v0(2); }, TypeError);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment