[runtime] Don't update template map for existing templates

The cached template object weakmap shouldn't be updated when we update an existing cached template object, because this update can truncate the linked list of cached template objects. Bug: v8:13190 Change-Id: Icea61fcbd5c05d4293a884d1872523ddcdfc3323 Fixed: chromium:1364429, chromium:1364471 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899256Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83248}

[runtime] Don't update template map for existing templates
The cached template object weakmap shouldn't be updated when we update an existing cached template object, because this update can truncate the linked list of cached template objects. Bug: v8:13190 Change-Id: Icea61fcbd5c05d4293a884d1872523ddcdfc3323 Fixed: chromium:1364429, chromium:1364471 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3899256Reviewed-by: Camillo Bruni <cbruni@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83248}
e7b96040 · Leszek Swirski · V8 LUCI CQ · 00a34199 · e7b96040 · e7b96040
Commit e7b96040 authored Sep 16, 2022 by Leszek Swirski Committed by V8 LUCI CQ Sep 16, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 3 deletions

template-objects.cc src/objects/template-objects.cc +7 -3

regress-1364429.js test/mjsunit/regress/regress-1364429.js +20 -0

No files found.
--- a/src/objects/template-objects.cc
+++ b/src/objects/template-objects.cc
@@ -94,14 +94,18 @@ Handle<JSArray> TemplateObjectDescription::GetTemplateObject(
  if (existing_cached_template.ToHandle(&cached_template)) {
    cached_template->set_template_object(
        HeapObjectReference::Weak(*template_object));
+    // The existing cached template is already in the weakmap, so don't add it
+    // again.
  } else {
    cached_template = isolate->factory()->NewCachedTemplateObject(
        function_literal_id, slot_id, previous_cached_templates,
        template_object);
+
+    // Add the new cached template to the weakmap as the new linked list head.
+    template_weakmap = EphemeronHashTable::Put(isolate, template_weakmap,
+                                               script, cached_template, hash);
+    native_context->set_template_weakmap(*template_weakmap);
  }
-  template_weakmap = EphemeronHashTable::Put(isolate, template_weakmap, script,
-                                             cached_template, hash);
-  native_context->set_template_weakmap(*template_weakmap);

  return template_object;
 }

--- a/test/mjsunit/regress/regress-1364429.js
+++ b/test/mjsunit/regress/regress-1364429.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --expose-gc
+
+function get_template_object(x) {
+  return x;
+}
+function foo() {
+  return get_template_object``;
+}
+function bar() {
+  return get_template_object``;
+}
+foo();
+gc();
+var cached_bar = bar();
+assertNotSame(foo() === cached_bar);
+assertSame(bar(), cached_bar);