Skip to content

Commit 506e893

Browse files
schuayCommit Bot
schuay
authored and
Commit Bot
committed
[deoptimizer] Stricter checks during deoptimization
.. to verify that the trampoline_pc has been set. Bug: chromium:1161357 Change-Id: If7e1a13cff9919e2e8a65c095d80dfcef2dc05cb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2606333 Commit-Queue: Jakob Gruber <[email protected]> Auto-Submit: Jakob Gruber <[email protected]> Reviewed-by: Benedikt Meurer <[email protected]> Cr-Commit-Position: refs/heads/master@{#71896}
1 parent 9327fbd commit 506e893

3 files changed

Lines changed: 20 additions & 0 deletions

File tree

src/deoptimizer/deoptimizer.cc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -267,6 +267,7 @@ class ActivationsFinder : public ThreadVisitor {
267267
SafepointEntry safepoint = code.GetSafepointEntry(it.frame()->pc());
268268
int trampoline_pc = safepoint.trampoline_pc();
269269
DCHECK_IMPLIES(code == topmost_, safe_to_deopt_);
270+
CHECK_GE(trampoline_pc, 0);
270271
// Replace the current pc on the stack with the trampoline.
271272
// TODO(v8:10026): avoid replacing a signed pointer.
272273
Address* pc_addr = it.frame()->pc_address();

test/mjsunit/mjsunit.status

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,10 @@
7373
# https://crbug.com/1129854
7474
'tools/log': ['arch == arm or arch == arm64', SKIP],
7575

76+
# crbug.com/1161357
77+
# TODO(solanes): Remove this entry once the underlying issue is fixed.
78+
'regress/regress-1161357': [PASS, FAIL],
79+
7680
##############################################################################
7781
# Tests where variants make no sense.
7882
'd8/enable-tracing': [PASS, NO_VARIANTS],

test/mjsunit/regress/regress-1161357.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
// Copyright 2020 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
for (let i = 0; i < 3; i++) {
6+
for (let j = 0; j < 32767; j++) {
7+
Number;
8+
}
9+
for (let j = 0; j < 2335; j++) {
10+
Number;
11+
}
12+
var arr = [, ...(new Int16Array(0xffff)), 4294967296];
13+
arr.concat(Number, arr)
14+
}
15+
eval(``);

0 commit comments

Comments
 (0)