-
Georg Neis authored
Foozie came up with a mind-boggling example hitting a similarly mind-boggling bug: object construction (JSObject::New) wants to create the constructor's function initial map (JSFunction::GetDerivedMap -> JSFunction::EnsureHasInitialMap). To do so, it calls JSFunction::CalculateExpectedNofProperties. This harmless sounding function triggers compilation of the function. Since we're running with --always-opt, this is an optimizing compilation. Turbofan ends up depending on the function's "prototype" property, for which it wants to create the initial map so that it can install the code dependency. That is, EnsureHasInitialMap is reentered. At this point there is no further compilation attempt because the bytecode now exists. The initial map is created and installed on the function, and TF records the code dependency on that map. When CalculateExpectedNofProperties returns control to the outer EnsureHasInitialMap, yet another initial map is created and set on the function, forgetting the previous one and thus the code dependency. I'm not sure if this bug can only be observed with --always-opt. The fix is general. Bug: chromium:1092011 Change-Id: I8b972748e49b9eb8f06fa17ea9ca037de2bd7532 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2238570Reviewed-by:
Leszek Swirski <leszeks@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#68292}
0817d7ee
