Allow code-dependency changes in OptimizedCompilationJob::FinalizeJob

Installation of the PrototypePropertyDependency, as well as GC, can invalidate dependencies. Bug: chromium:902552 Change-Id: Iabcce026c7475c722d19ac0b80758b22d9fbcfda Reviewed-on: https://chromium-review.googlesource.com/c/1322450Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#57343}

Allow code-dependency changes in OptimizedCompilationJob::FinalizeJob
Installation of the PrototypePropertyDependency, as well as GC, can invalidate dependencies. Bug: chromium:902552 Change-Id: Iabcce026c7475c722d19ac0b80758b22d9fbcfda Reviewed-on: https://chromium-review.googlesource.com/c/1322450Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#57343}
f4603157 · Georg Neis · Commit Bot · 5af64b6d · f4603157 · f4603157
Commit f4603157 authored Nov 07, 2018 by Georg Neis Committed by Commit Bot Nov 08, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 2 deletions

compiler.cc src/compiler.cc +0 -1

compilation-dependencies.cc src/compiler/compilation-dependencies.cc +5 -1

regress-902552.js test/mjsunit/regress/regress-902552.js +11 -0

No files found.
--- a/src/compiler.cc
+++ b/src/compiler.cc
@@ -226,7 +226,6 @@ CompilationJob::Status OptimizedCompilationJob::ExecuteJob() {

 CompilationJob::Status OptimizedCompilationJob::FinalizeJob(Isolate* isolate) {
  DCHECK(ThreadId::Current().Equals(isolate->thread_id()));
-  DisallowCodeDependencyChange no_dependency_change;
  DisallowJavascriptExecution no_js(isolate);

  // Delegate to the underlying implementation.

--- a/src/compiler/compilation-dependencies.cc
+++ b/src/compiler/compilation-dependencies.cc
@@ -71,6 +71,9 @@ class PrototypePropertyDependency final
  void Install(const MaybeObjectHandle& code) override {
    SLOW_DCHECK(IsValid());
    Handle<JSFunction> function = function_.object();
+    // Note that EnsureHasInitialMap can invalidate other dependencies, whether
+    // installed already or not, because it may change the map of the prototype
+    // object.
    if (!function->has_initial_map()) JSFunction::EnsureHasInitialMap(function);
    Handle<Map> initial_map(function->initial_map(), function_.isolate());
    DependentCode::InstallDependency(function_.isolate(), code, initial_map,
@@ -382,7 +385,8 @@ bool CompilationDependencies::Commit(Handle<Code> code) {

  for (auto dep : dependencies_) {
    // Check each dependency's validity again right before installing it,
-    // because a GC can trigger invalidation for some dependency kinds.
+    // because a GC can trigger invalidation for some dependency kinds (e.g.,
+    // for PretenureModeDependency).
    if (!dep->IsValid()) {
      dependencies_.clear();
      return false;

--- a/test/mjsunit/regress/regress-902552.js
+++ b/test/mjsunit/regress/regress-902552.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var C = class {};
+for (var i = 0; i < 4; ++i) {
+  if (i == 2) %OptimizeOsr();
+  C.prototype.foo = 42;
+}