Reviewers: Yang,
Message:
Could take a look, please?
It turns out the arguments object screw-up was caused by my deoptimizer
refactoring.
Description:
[deoptimizer] Do not pass arguments markers to the debugger.
This fixes a bug introduced by r28826 (Unify decoding of deoptimization
translations, https://codereview.chromium.org/1136223004), where we
started leaking arguments marker sentinel to the debugger, which would
then cause crashes. This change replaces the sentinel with the undefined
value in the debugger-inspectable frame.
BUG=chromium:514362
LOG=n
[email protected]
Please review this at https://codereview.chromium.org/1263333002/
Base URL: https://chromium.googlesource.com/v8/v8.git@master
Affected files (+53, -2 lines):
M src/deoptimizer.cc
A test/mjsunit/debug-materialized.js
Index: src/deoptimizer.cc
diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
index
599962a204fe5a362334dd8ec1a014f76c7d04f6..d29cb6056347d63f30ef9643a833dd4f90c6cb59
100644
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@@ -2266,7 +2266,12 @@
DeoptimizedFrameInfo::DeoptimizedFrameInfo(Deoptimizer* deoptimizer,
source_position_ = code->SourcePosition(pc);
for (int i = 0; i < expression_count_; i++) {
- SetExpression(i, output_frame->GetExpression(i));
+ Object* value = output_frame->GetExpression(i);
+ // Replace materialization markers with the undefined value.
+ if (value == deoptimizer->isolate()->heap()->arguments_marker()) {
+ value = deoptimizer->isolate()->heap()->undefined_value();
+ }
+ SetExpression(i, value);
}
if (has_arguments_adaptor) {
@@ -2277,7 +2282,12 @@
DeoptimizedFrameInfo::DeoptimizedFrameInfo(Deoptimizer* deoptimizer,
parameters_count_ = output_frame->ComputeParametersCount();
parameters_ = new Object* [parameters_count_];
for (int i = 0; i < parameters_count_; i++) {
- SetParameter(i, output_frame->GetParameter(i));
+ Object* value = output_frame->GetParameter(i);
+ // Replace materialization markers with the undefined value.
+ if (value == deoptimizer->isolate()->heap()->arguments_marker()) {
+ value = deoptimizer->isolate()->heap()->undefined_value();
+ }
+ SetParameter(i, value);
}
}
Index: test/mjsunit/debug-materialized.js
diff --git a/test/mjsunit/debug-materialized.js
b/test/mjsunit/debug-materialized.js
new file mode 100644
index
0000000000000000000000000000000000000000..0b01b78df491fadee3187d74d8b9b0922aefd4a9
--- /dev/null
+++ b/test/mjsunit/debug-materialized.js
@@ -0,0 +1,41 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --expose-debug-as debug
+
+function dbg(x) {
+ debugger;
+}
+
+function foo() {
+ arguments[0];
+ dbg();
+}
+
+function bar() {
+ var t = { a : 1 };
+ dbg();
+ return t.a;
+}
+
+foo(1);
+foo(1);
+bar(1);
+bar(1);
+%OptimizeFunctionOnNextCall(foo);
+%OptimizeFunctionOnNextCall(bar);
+
+var Debug = debug.Debug;
+Debug.setListener(function(event, exec_state, event_data, data) {
+ if (event != Debug.DebugEvent.Break) return;
+ for (var i = 0; i < exec_state.frameCount(); i++) {
+ var f = exec_state.frame(i);
+ for (var j = 0; j < f.localCount(); j++) {
+ print("'" + f.localName(j) + "' = " + f.localValue(j).value());
+ }
+ }
+});
+
+foo(1);
+bar(1);
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
