Merged: [deoptimizer] Stricter checks during deoptimization

GeorgNeis · Commit Bot · commit 44d052c19df0 · 2021-01-08T08:58:47.000Z
Revision: 506e893 BUG=chromium:1161357 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=mythria@chromium.org Change-Id: I97b69ae11d85bc0acd4a0c7bd28e1b692433de80 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2616219 Reviewed-by: Mythri Alle <mythria@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/branch-heads/8.8@{#23} Cr-Branched-From: 2dbcdc1-refs/heads/8.8.278@{#1} Cr-Branched-From: 366d30c-refs/heads/master@{#71094}
diff --git a/src/deoptimizer/deoptimizer.cc b/src/deoptimizer/deoptimizer.cc
@@ -267,6 +267,7 @@ class ActivationsFinder : public ThreadVisitor {
           SafepointEntry safepoint = code.GetSafepointEntry(it.frame()->pc());
           int trampoline_pc = safepoint.trampoline_pc();
           DCHECK_IMPLIES(code == topmost_, safe_to_deopt_);
+          CHECK_GE(trampoline_pc, 0);
           // Replace the current pc on the stack with the trampoline.
           // TODO(v8:10026): avoid replacing a signed pointer.
           Address* pc_addr = it.frame()->pc_address();
diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
@@ -77,6 +77,10 @@
   # https://crbug.com/1129854
   'tools/log': ['arch == arm or arch == arm64', SKIP],
 
+  # crbug.com/1161357
+  # TODO(solanes): Remove this entry once the underlying issue is fixed.
+  'regress/regress-1161357': [PASS, FAIL],
+
   ##############################################################################
   # Tests where variants make no sense.
   'd8/enable-tracing': [PASS, NO_VARIANTS],
diff --git a/test/mjsunit/regress/regress-1161357.js b/test/mjsunit/regress/regress-1161357.js
@@ -0,0 +1,15 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+for (let i = 0; i < 3; i++) {
+  for (let j = 0; j < 32767; j++) {
+    Number;
+  }
+  for (let j = 0; j < 2335; j++) {
+    Number;
+  }
+  var arr = [, ...(new Int16Array(0xffff)), 4294967296];
+  arr.concat(Number, arr)
+}
+eval(``);
