Reviewers: mvstanton, Yang,
Description:
Make sure we don't accidentially serialize type feedback
BUG=none
[email protected],[email protected]
LOG=n
Please review this at https://codereview.chromium.org/804933002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+45, -0 lines):
M src/serialize.cc
M src/type-feedback-vector.h
M src/type-feedback-vector.cc
Index: src/serialize.cc
diff --git a/src/serialize.cc b/src/serialize.cc
index
01c55a1226efedc5cca0d8bc1f80ad99dede6ba4..af8b3d012a384716b43d9dc77bfa9a6dd4d4b27c
100644
--- a/src/serialize.cc
+++ b/src/serialize.cc
@@ -2075,6 +2075,12 @@ ScriptData* CodeSerializer::Serialize(Isolate*
isolate,
PrintF("]\n");
}
+ // The type feedback vector of this function must be clear.
+ if (info->feedback_vector()->IsCleared()) {
+ UNREACHABLE();
+ info->ClearTypeFeedbackInfo();
+ }
+
// Serialize code object.
SnapshotByteSink sink(info->code()->CodeSize() * 2);
CodeSerializer cs(isolate, &sink, *source, info->code());
Index: src/type-feedback-vector.cc
diff --git a/src/type-feedback-vector.cc b/src/type-feedback-vector.cc
index
45028b87879f7bbe2984179c111f586ce6f9025e..5154e2078fc4c960298f28a5041559ad32c4a4f4
100644
--- a/src/type-feedback-vector.cc
+++ b/src/type-feedback-vector.cc
@@ -207,6 +207,42 @@ void
TypeFeedbackVector::ClearSlots(SharedFunctionInfo* shared) {
}
+bool TypeFeedbackVector::IsCleared() {
+ int slots = Slots();
+ Isolate* isolate = GetIsolate();
+ Object* uninitialized_sentinel =
+ TypeFeedbackVector::RawUninitializedSentinel(isolate->heap());
+
+ for (int i = 0; i < slots; i++) {
+ FeedbackVectorSlot slot(i);
+ Object* obj = Get(slot);
+ if (obj->IsHeapObject()) {
+ InstanceType instance_type =
+ HeapObject::cast(obj)->map()->instance_type();
+ // AllocationSites are exempt from clearing. They don't store Maps
+ // or Code pointers which can cause memory leaks if not cleared
+ // regularly.
+ if (instance_type != ALLOCATION_SITE_TYPE) {
+ return false;
+ }
+ }
+ }
+
+ slots = ICSlots();
+ if (slots == 0) return true;
+
+ // Now check vector-based ICs.
+ for (int i = 0; i < slots; i++) {
+ FeedbackVectorICSlot slot(i);
+ Object* obj = Get(slot);
+ if (obj != uninitialized_sentinel) {
+ return false;
+ }
+ }
+ return true;
+}
+
+
Handle<FixedArray> FeedbackNexus::EnsureArrayOfSize(int length) {
Isolate* isolate = GetIsolate();
Handle<Object> feedback = handle(GetFeedback(), isolate);
Index: src/type-feedback-vector.h
diff --git a/src/type-feedback-vector.h b/src/type-feedback-vector.h
index
864f336f90cb733f3e2ce28d875383bc25782231..d1d48db0535d893d1a43151acbd18d69ab834807
100644
--- a/src/type-feedback-vector.h
+++ b/src/type-feedback-vector.h
@@ -166,6 +166,9 @@ class TypeFeedbackVector : public FixedArray {
// Clears the vector slots and the vector ic slots.
void ClearSlots(SharedFunctionInfo* shared);
+ // Returns true if all slots are clear.
+ bool IsCleared();
+
// The object that indicates an uninitialized cache.
static inline Handle<Object> UninitializedSentinel(Isolate* isolate);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
