Files · a9b9c7ab8ca8c0ae749eb119418fb4cc037a93de · Linshizhi / V8

[objects] Relax JSBoundFunction verification. · a9b9c7ab

bmeurer authored Jun 19, 2017

The heap verifier does certain invariant checks on JSBoundFunction
objects, i.e. it assumes that the bound_target_function is a proper
JSReceiver. The Deoptimizer cannot maintain this invariant, because it
first allocates the JSBoundFunction in an invalid state and only
afterwards fix up the state. But the GC (and thus the heap verifier)
can observe this invalid state why materializing field values, so
we need to relax the verification slightly.

BUG=chromium:729573,chromium:732176
R=mstarzinger@chromium.org

Review-Url: https://codereview.chromium.org/2933283002
Cr-Commit-Position: refs/heads/master@{#45988}

a9b9c7ab

Name	Last commit	Last update
benchmarks		Loading commit data...
build_overrides		Loading commit data...
docs		Loading commit data...
gni		Loading commit data...
gypfiles		Loading commit data...
include		Loading commit data...
infra		Loading commit data...
samples		Loading commit data...
src		Loading commit data...
test		Loading commit data...
testing		Loading commit data...
third_party		Loading commit data...
tools		Loading commit data...
.clang-format		Loading commit data...
.gitignore		Loading commit data...
.gn		Loading commit data...
.ycm_extra_conf.py		Loading commit data...
AUTHORS		Loading commit data...
BUILD.gn		Loading commit data...
CODE_OF_CONDUCT.md		Loading commit data...
ChangeLog		Loading commit data...
DEPS		Loading commit data...
LICENSE		Loading commit data...
LICENSE.fdlibm		Loading commit data...
LICENSE.strongtalk		Loading commit data...
LICENSE.v8		Loading commit data...
LICENSE.valgrind		Loading commit data...
Makefile		Loading commit data...
Makefile.android		Loading commit data...
OWNERS		Loading commit data...
PRESUBMIT.py		Loading commit data...
README.md		Loading commit data...
WATCHLISTS		Loading commit data...
codereview.settings		Loading commit data...
snapshot_toolchain.gni		Loading commit data...

README.md