[compiler] More conservative reads of call feedback

The `target` field of call feedback may be stored in the feedback vector without protection by generated code (see TryInitializeAsMonomorphic). We thus can't assume a memory fence exists when creating the ref, switch to TryMakeRef instead. Bug: v8:7790,v8:12876 Change-Id: I428b00b19a417e818c315f1cf9ee62d19f0747d7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867728 Auto-Submit: Jakob Linke <jgruber@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/main@{#82947}

[compiler] More conservative reads of call feedback
The `target` field of call feedback may be stored in the feedback vector without protection by generated code (see TryInitializeAsMonomorphic). We thus can't assume a memory fence exists when creating the ref, switch to TryMakeRef instead. Bug: v8:7790,v8:12876 Change-Id: I428b00b19a417e818c315f1cf9ee62d19f0747d7 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3867728 Auto-Submit: Jakob Linke <jgruber@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/main@{#82947}
de762c96 · Jakob Linke · V8 LUCI CQ · 5981d168 · de762c96
Commit de762c96 authored Sep 01, 2022 by Jakob Linke Committed by V8 LUCI CQ Sep 02, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

js-heap-broker.cc src/compiler/js-heap-broker.cc +1 -1

No files found.
--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@@ -684,7 +684,7 @@ ProcessedFeedback const& JSHeapBroker::ReadFeedbackForCall(
    MaybeObject maybe_target = nexus.GetFeedback();
    HeapObject target_object;
    if (maybe_target->GetHeapObject(&target_object)) {
-      target_ref = MakeRefAssumeMemoryFence(this, target_object);
+      target_ref = TryMakeRef(this, target_object);
    }
  }