[v8-dev] [turbofan] Fix frame state for class literal definition. (issue 1104673004 by [email protected])

Fri, 24 Apr 2015 02:36:06 -0700 

Reviewers: jarin,

Description:
[turbofan] Fix frame state for class literal definition.

This introduces a bailout point for class literals right after the
%DefineClass function has been called. Otherwise the FrameState after
class literal evaluation might contain the literal itself.

[email protected]
TEST=mjsunit/regress/regress-crbug-480819
BUG=chromium:480819
LOG=N

Please review this at https://codereview.chromium.org/1104673004/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+10, -4 lines):
  M src/ast.h
  M src/compiler/ast-graph-builder.cc
  M src/full-codegen.cc
  A + test/mjsunit/regress/regress-crbug-480819.js


Index: src/ast.h
diff --git a/src/ast.h b/src/ast.h
index 7ed1609e7f64dcc972c9a035c2076aedc662f4ca..1a7cd5193abfc49240711e7fdbf4c0da8338c797 100644 
--- a/src/ast.h
+++ b/src/ast.h
@@ -2699,13 +2699,14 @@ class ClassLiteral final : public Expression {
   BailoutId EntryId() const { return BailoutId(local_id(0)); }
   BailoutId DeclsId() const { return BailoutId(local_id(1)); }
   BailoutId ExitId() { return BailoutId(local_id(2)); }
+  BailoutId CreateLiteralId() const { return BailoutId(local_id(3)); }

   // Return an AST id for a property that is used in simulate instructions.
-  BailoutId GetIdForProperty(int i) { return BailoutId(local_id(i + 3)); }
+  BailoutId GetIdForProperty(int i) { return BailoutId(local_id(i + 4)); }

   // Unlike other AST nodes, this number of bailout IDs allocated for an
   // ClassLiteral can vary, so num_ids() is not a static method.
- int num_ids() const { return parent_num_ids() + 3 + properties()->length(); } + int num_ids() const { return parent_num_ids() + 4 + properties()->length(); } 

  protected:
   ClassLiteral(Zone* zone, const AstRawString* name, Scope* scope,
Index: src/compiler/ast-graph-builder.cc
diff --git a/src/compiler/ast-graph-builder.cc b/src/compiler/ast-graph-builder.cc index d299aec2ac5395c2903dfe8e4cd4937b30a94c9f..9dd11b8770e20cb68fb2386fda97959108d19690 100644 
--- a/src/compiler/ast-graph-builder.cc
+++ b/src/compiler/ast-graph-builder.cc
@@ -1518,6 +1518,8 @@ void AstGraphBuilder::VisitClassLiteralContents(ClassLiteral* expr) { 
   Node* end = jsgraph()->Constant(expr->end_position());
const Operator* opc = javascript()->CallRuntime(Runtime::kDefineClass, 6); Node* literal = NewNode(opc, name, extends, constructor, script, start, end); 
+  PrepareFrameState(literal, expr->CreateLiteralId(),
+                    OutputFrameStateCombine::Push());
// The prototype is ensured to exist by Runtime_DefineClass. No access check 
   // is needed here since the constructor is created by the class literal.
@@ -1594,7 +1596,6 @@ void AstGraphBuilder::VisitClassLiteralContents(ClassLiteral* expr) { BuildVariableAssignment(var, literal, Token::INIT_CONST, BailoutId::None()); 
   }

-  PrepareFrameState(literal, expr->id(), ast_context()->GetStateCombine());
   ast_context()->ProduceValue(literal);
 }

Index: src/full-codegen.cc
diff --git a/src/full-codegen.cc b/src/full-codegen.cc
index 08fe7a78448b6615fb9cadb75f768ca11872861d..3386ce12e5546c95dd13733564a667c40e98c033 100644 
--- a/src/full-codegen.cc
+++ b/src/full-codegen.cc
@@ -1591,6 +1591,7 @@ void FullCodeGenerator::VisitClassLiteral(ClassLiteral* lit) { 
     __ Push(Smi::FromInt(lit->end_position()));

     __ CallRuntime(Runtime::kDefineClass, 6);
+    PrepareForBailoutForId(lit->CreateLiteralId(), TOS_REG);
     EmitClassDefineProperties(lit);

     if (lit->scope() != NULL) {
Index: test/mjsunit/regress/regress-crbug-480819.js
diff --git a/test/message/regress/regress-3995.js b/test/mjsunit/regress/regress-crbug-480819.js 
similarity index 59%
copy from test/message/regress/regress-3995.js
copy to test/mjsunit/regress/regress-crbug-480819.js
index ba84bc096527cc242b9ad43983b42eec0462c43c..8d3b7eed60ea20d880cf68def679cd859263ea99 100644 
--- a/test/message/regress/regress-3995.js
+++ b/test/mjsunit/regress/regress-crbug-480819.js
@@ -2,6 +2,9 @@
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
+// Flags: --turbo-filter=* --always-opt --turbo-deoptimization --noanalyze-environment-liveness 
+
 (function() {
-  throw new Error("boom");
+  "use strict";
+  class C1 {}
 })();


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to