Reviewers: Igor Sheludko,
Message:
Could you take a look, please?
Description:
Do not touch a binary op IC target in code object marked for lazy deopt.
Bad scenario:
- Enter a binop IC miss handler from optimized code object C from call
site S,
- From the binop IC, invoke arbitrary javascript that lazy deopts C,
so all relocation info is nuked and replaced with lazy deopt entries'
reloc info. In particular, there is no reloc info for S.
- Still from the arbitrary JavaScript, make IC target's code object move.
Note that the call site S is not updated.
- Return to the miss handler and inspect the IC's target. This will try
to get the target from S, but that is a potentially invalid pointer.
It is quite possible that we will have to do a similar fix for other ICs,
but we will have to find a reliable repro first. I am not submitting a
repro here because it is quite long running and brittle (it
relies on code compaction happening while in the binop IC).
BUG=v8:3910
LOG=n
[email protected]
Please review this at https://codereview.chromium.org/958473004/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+17, -0 lines):
M src/ic/ic.h
M src/ic/ic.cc
Index: src/ic/ic.cc
diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index
ef8e069fda99301efa30c9223af4253e221a7442..9721e459021ed4bb4e41160d631121876b593093
100644
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -230,6 +230,14 @@ bool IC::AddressIsOptimizedCode() const {
}
+bool IC::AddressIsDeoptimizedCode() const {
+ Code* host =
+
isolate()->inner_pointer_to_code_cache()->GetCacheEntry(address())->code;
+ return host->kind() == Code::OPTIMIZED_FUNCTION &&
+ host->marked_for_deoptimization();
+}
+
+
static void LookupForRead(LookupIterator* it) {
for (; it->IsFound(); it->Next()) {
switch (it->state()) {
@@ -2485,9 +2493,17 @@ MaybeHandle<Object> BinaryOpIC::Transition(
isolate(), result, Execution::Call(isolate(), function, left, 1,
&right),
Object);
+ // Do not try to update the target if the code was marked for lazy
+ // deoptimization. (Since we do not relocate addresses in these
+ // code objects, an attempt to access the target could fail.)
+ if (AddressIsDeoptimizedCode()) {
+ return result;
+ }
+
// Execution::Call can execute arbitrary JavaScript, hence potentially
// update the state of this very IC, so we must update the stored state.
UpdateTarget();
+
// Compute the new state.
BinaryOpICState old_state(isolate(), target()->extra_ic_state());
state.Update(left, right, result);
Index: src/ic/ic.h
diff --git a/src/ic/ic.h b/src/ic/ic.h
index
773e9d029aafe568b40599b792a937d8d6d45ab6..3ef3caa1a0e9659faf16a3976d70d11284b2bbe0
100644
--- a/src/ic/ic.h
+++ b/src/ic/ic.h
@@ -134,6 +134,7 @@ class IC {
Code* GetOriginalCode() const;
bool AddressIsOptimizedCode() const;
+ bool AddressIsDeoptimizedCode() const;
// Set the call-site target.
inline void set_target(Code* code);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
