Check the state of the current binary op IC before patching smi code

Between the miss and patching, we run user code. That may already patch the same code. IC refactoring broke this (again), so including a regression test this time around. BUG=chromium:601392 LOG=n Review URL: https://codereview.chromium.org/1925583002 Cr-Commit-Position: refs/heads/master@{#35811}

Check the state of the current binary op IC before patching smi code
Between the miss and patching, we run user code. That may already patch the same code. IC refactoring broke this (again), so including a regression test this time around. BUG=chromium:601392 LOG=n Review URL: https://codereview.chromium.org/1925583002 Cr-Commit-Position: refs/heads/master@{#35811}
f1cc6e64 · verwaest · Commit bot · 2fb88d61 · f1cc6e64 · f1cc6e64
Commit f1cc6e64 authored Apr 27, 2016 by verwaest Committed by Commit bot Apr 27, 2016
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 8 deletions

ic.cc src/ic/ic.cc +8 -8

regress-recurse-patch-binary-op.js test/mjsunit/regress/regress-recurse-patch-binary-op.js +10 -0

No files found.
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2357,11 +2357,11 @@ MaybeHandle<Object> BinaryOpIC::Transition(
  }

  // Compute the new state.
-  BinaryOpICState old_state(isolate(), extra_ic_state());
+  BinaryOpICState old_state(isolate(), target()->extra_ic_state());
  state.Update(left, right, result);

  // Check if we have a string operation here.
-  Handle<Code> target;
+  Handle<Code> new_target;
  if (!allocation_site.is_null() || state.ShouldCreateAllocationMementos()) {
    // Setup the allocation site on-demand.
    if (allocation_site.is_null()) {
@@ -2370,24 +2370,24 @@ MaybeHandle<Object> BinaryOpIC::Transition(

    // Install the stub with an allocation site.
    BinaryOpICWithAllocationSiteStub stub(isolate(), state);
-    target = stub.GetCodeCopyFromTemplate(allocation_site);
+    new_target = stub.GetCodeCopyFromTemplate(allocation_site);

    // Sanity check the trampoline stub.
-    DCHECK_EQ(*allocation_site, target->FindFirstAllocationSite());
+    DCHECK_EQ(*allocation_site, new_target->FindFirstAllocationSite());
  } else {
    // Install the generic stub.
    BinaryOpICStub stub(isolate(), state);
-    target = stub.GetCode();
+    new_target = stub.GetCode();

    // Sanity check the generic stub.
-    DCHECK_NULL(target->FindFirstAllocationSite());
+    DCHECK_NULL(new_target->FindFirstAllocationSite());
  }
-  set_target(*target);
+  set_target(*new_target);

  if (FLAG_trace_ic) {
    OFStream os(stdout);
    os << "[BinaryOpIC" << old_state << " => " << state << " @ "
-       << static_cast<void*>(*target) << " <- ";
+       << static_cast<void*>(*new_target) << " <- ";
    JavaScriptFrame::PrintTop(isolate(), stdout, false, true);
    if (!allocation_site.is_null()) {
      os << " using allocation site " << static_cast<void*>(*allocation_site);

--- a/test/mjsunit/regress/regress-recurse-patch-binary-op.js
+++ b/test/mjsunit/regress/regress-recurse-patch-binary-op.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var i = 0
+function valueOf() {
+  while (true) return i++ < 4 ? 1 + this : 2
+}
+
+1 + ({valueOf})