[TurboFan] investigate a crash in GenerateDeoptimizationData

We know the array CodeGenerator::deoptimization_literals_ is corrupted somehow. Additional checks in place to validate. Bug: chromium:1027130 Change-Id: Ie0146003f096d24e67aeb382372bca8472548c2a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2182636 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#67641}

[TurboFan] investigate a crash in GenerateDeoptimizationData
We know the array CodeGenerator::deoptimization_literals_ is corrupted somehow. Additional checks in place to validate. Bug: chromium:1027130 Change-Id: Ie0146003f096d24e67aeb382372bca8472548c2a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2182636 Commit-Queue: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#67641}
ee0c1b0e · Mike Stanton · Commit Bot · d64bcab3 · ee0c1b0e · ee0c1b0e
Commit ee0c1b0e authored May 07, 2020 by Mike Stanton Committed by Commit Bot May 07, 2020
Show whitespace changes
Inline Side-by-side

Showing with 20 additions and 3 deletions

code-generator.cc src/compiler/backend/code-generator.cc +6 -0

code-generator.h src/compiler/backend/code-generator.h +14 -3

No files found.
--- a/src/compiler/backend/code-generator.cc
+++ b/src/compiler/backend/code-generator.cc
@@ -996,8 +996,10 @@ void CodeGenerator::RecordCallPosition(Instruction* instr) {
 }
 int CodeGenerator::DefineDeoptimizationLiteral(DeoptimizationLiteral literal) {
+  literal.Validate();
  int result = static_cast<int>(deoptimization_literals_.size());
  for (unsigned i = 0; i < deoptimization_literals_.size(); ++i) {
+    deoptimization_literals_[i].Validate();
    if (deoptimization_literals_[i] == literal) return i;
  }
  deoptimization_literals_.push_back(literal);
@@ -1349,6 +1351,7 @@ OutOfLineCode::OutOfLineCode(CodeGenerator* gen)
 OutOfLineCode::~OutOfLineCode() = default;
 Handle<Object> DeoptimizationLiteral::Reify(Isolate* isolate) const {
+  Validate();
  switch (kind_) {
    case DeoptimizationLiteralKind::kObject: {
      return object_;
@@ -1359,6 +1362,9 @@ Handle<Object> DeoptimizationLiteral::Reify(Isolate* isolate) const {
    case DeoptimizationLiteralKind::kString: {
      return string_->AllocateStringConstant(isolate);
    }
+    case DeoptimizationLiteralKind::kInvalid: {
+      UNREACHABLE();
+    }
  }
  UNREACHABLE();
 }

--- a/src/compiler/backend/code-generator.h
+++ b/src/compiler/backend/code-generator.h
@@ -51,12 +51,16 @@ class InstructionOperandIterator {
  size_t pos_;
 };
-enum class DeoptimizationLiteralKind { kObject, kNumber, kString };
+enum class DeoptimizationLiteralKind { kObject, kNumber, kString, kInvalid };
 // Either a non-null Handle<Object>, a double or a StringConstantBase.
 class DeoptimizationLiteral {
 public:
-  DeoptimizationLiteral() : object_(), number_(0), string_(nullptr) {}
+  DeoptimizationLiteral()
+      : kind_(DeoptimizationLiteralKind::kInvalid),
+        object_(),
+        number_(0),
+        string_(nullptr) {}
  explicit DeoptimizationLiteral(Handle<Object> object)
      : kind_(DeoptimizationLiteralKind::kObject), object_(object) {
    CHECK(!object_.is_null());
@@ -77,7 +81,14 @@ class DeoptimizationLiteral {
  Handle<Object> Reify(Isolate* isolate) const;
-  DeoptimizationLiteralKind kind() const { return kind_; }
+  void Validate() const {
+    CHECK_NE(kind_, DeoptimizationLiteralKind::kInvalid);
+  }
+  DeoptimizationLiteralKind kind() const {
+    Validate();
+    return kind_;
+  }
 private:
  DeoptimizationLiteralKind kind_;