-
jarin authored
Bad scenario: - Enter a binop IC miss handler from optimized code object C from call site S, - From the binop IC, invoke arbitrary javascript that lazy deopts C, so all relocation info is nuked and replaced with lazy deopt entries' reloc info. In particular, there is no reloc info for S. - Still from the arbitrary JavaScript, make IC target's code object move. Note that the call site S is not updated. - Return to the miss handler and inspect the IC's target. This will try to get the target from S, but that is a potentially invalid pointer. It is quite possible that we will have to do a similar fix for other ICs, but we will have to find a reliable repro first. I am not submitting a repro here because it is quite long running and brittle (it relies on code compaction happening while in the binop IC). BUG=v8:3910 LOG=n R=ishell@chromium.org Review URL: https://codereview.chromium.org/958473004 Cr-Commit-Position: refs/heads/master@{#26872}
bb13e7f7
