[v8-dev] Version 4.6.85.6 (cherry-pick) (issue 1313513004 by [email protected])

Wed, 26 Aug 2015 23:59:28 -0700 

Reviewers: Hablich,

Description:
Version 4.6.85.6 (cherry-pick)

Merged 24544698efa7e52e23c4cd270ba090c83cf47f9b
Merged e642fde41408bb744b26b3de2096103f9d5d40b6

Message formatting: handle unexpected case of failing property lookup.

Deserializer: flush code cache while code pointers are still valid.

BUG=chromium:523308,chromium:523453
LOG=N
[email protected]

Please review this at https://codereview.chromium.org/1313513004/

Base URL: https://chromium.googlesource.com/v8/[email protected]

Affected files (+29, -15 lines):
  M include/v8-version.h
  M src/messages.cc
  M src/snapshot/serialize.h
  M src/snapshot/serialize.cc
  A test/mjsunit/regress/regress-crbug-523308.js


Index: include/v8-version.h
diff --git a/include/v8-version.h b/include/v8-version.h
index 243ebb9d32cb12a86ceb872c3deae0f43c8e6c38..7dd42191a6ccbaf390a0aa8f42fb3a9aabfc8c46 100644 
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
 #define V8_MAJOR_VERSION 4
 #define V8_MINOR_VERSION 6
 #define V8_BUILD_NUMBER 85
-#define V8_PATCH_LEVEL 5
+#define V8_PATCH_LEVEL 6

 // Use 1 for candidates and 0 otherwise.
 // (Boolean macro values are not supported by all preprocessors.)
Index: src/messages.cc
diff --git a/src/messages.cc b/src/messages.cc
index 4e0c45f0f1992ca70ed191bfe63c6a4fac4bed7c..3de6717cbcece426eb4a73b2a3b02db8d4b66738 100644 
--- a/src/messages.cc
+++ b/src/messages.cc
@@ -434,6 +434,7 @@ MaybeHandle<String> ErrorToStringHelper::Stringify(Isolate* isolate, 
 bool ErrorToStringHelper::ShadowsInternalError(
     Isolate* isolate, LookupIterator* property_lookup,
     LookupIterator* internal_error_lookup) {
+  if (!property_lookup->IsFound()) return false;
   Handle<JSObject> holder = property_lookup->GetHolder<JSObject>();
   // It's fine if the property is defined on the error itself.
   if (holder.is_identical_to(property_lookup->GetReceiver())) return true;
Index: src/snapshot/serialize.cc
diff --git a/src/snapshot/serialize.cc b/src/snapshot/serialize.cc
index 3f261203e69fec5a74b702af71a3413fb471b2b3..9f2b4e9314888400cc9578cf17da182d99ddea05 100644 
--- a/src/snapshot/serialize.cc
+++ b/src/snapshot/serialize.cc
@@ -500,16 +500,19 @@ void Deserializer::DecodeReservation(
 }


-void Deserializer::FlushICacheForNewCodeObjects() {
-  if (!deserializing_user_code_) {
- // The entire isolate is newly deserialized. Simply flush all code pages. 
-    PageIterator it(isolate_->heap()->code_space());
-    while (it.has_next()) {
-      Page* p = it.next();
-      CpuFeatures::FlushICache(p->area_start(),
-                               p->area_end() - p->area_start());
-    }
+void Deserializer::FlushICacheForNewIsolate() {
+  DCHECK(!deserializing_user_code_);
+  // The entire isolate is newly deserialized. Simply flush all code pages.
+  PageIterator it(isolate_->heap()->code_space());
+  while (it.has_next()) {
+    Page* p = it.next();
+ CpuFeatures::FlushICache(p->area_start(), p->area_end() - p->area_start()); 
   }
+}
+
+
+void Deserializer::FlushICacheForNewCodeObjects() {
+  DCHECK(deserializing_user_code_);
   for (Code* code : new_code_objects_) {
     CpuFeatures::FlushICache(code->instruction_start(),
                              code->instruction_size());
@@ -557,6 +560,7 @@ void Deserializer::Deserialize(Isolate* isolate) {
     isolate_->heap()->RepairFreeListsAfterDeserialization();
     isolate_->heap()->IterateWeakRoots(this, VISIT_ALL);
     DeserializeDeferredObjects();
+    FlushICacheForNewIsolate();
   }

   isolate_->heap()->set_native_contexts_list(
@@ -574,8 +578,6 @@ void Deserializer::Deserialize(Isolate* isolate) {
   ExtraNatives::UpdateSourceCache(isolate_->heap());
   CodeStubNatives::UpdateSourceCache(isolate_->heap());

-  FlushICacheForNewCodeObjects();
-
   // Issue code events for newly deserialized code objects.
   LOG_CODE_EVENT(isolate_, LogCodeObjects());
   LOG_CODE_EVENT(isolate_, LogCompiledFunctions());
@@ -631,6 +633,7 @@ MaybeHandle<SharedFunctionInfo> Deserializer::DeserializeCode( 
       Object* root;
       VisitPointer(&root);
       DeserializeDeferredObjects();
+      FlushICacheForNewCodeObjects();
       result = Handle<SharedFunctionInfo>(SharedFunctionInfo::cast(root));
     }
     CommitNewInternalizedStrings(isolate);
@@ -2529,7 +2532,6 @@ MaybeHandle<SharedFunctionInfo> CodeSerializer::Deserialize( 
     if (FLAG_profile_deserialization) PrintF("[Deserializing failed]\n");
     return MaybeHandle<SharedFunctionInfo>();
   }
-  deserializer.FlushICacheForNewCodeObjects();

   if (FLAG_profile_deserialization) {
     double ms = timer.Elapsed().InMillisecondsF();
Index: src/snapshot/serialize.h
diff --git a/src/snapshot/serialize.h b/src/snapshot/serialize.h
index 512aad1877731a502e145d09a82461022e1910ae..e790062913789df177dd16ffc6620c839cee3bef 100644 
--- a/src/snapshot/serialize.h
+++ b/src/snapshot/serialize.h
@@ -547,8 +547,6 @@ class Deserializer: public SerializerDeserializer {
   // Deserialize a shared function info. Fail gracefully.
   MaybeHandle<SharedFunctionInfo> DeserializeCode(Isolate* isolate);

-  void FlushICacheForNewCodeObjects();
-
// Pass a vector of externally-provided objects referenced by the snapshot. 
   // The ownership to its backing store is handed over as well.
   void SetAttachedObjects(Vector<Handle<Object> > attached_objects) {
@@ -576,6 +574,9 @@ class Deserializer: public SerializerDeserializer {

   void DeserializeDeferredObjects();

+  void FlushICacheForNewIsolate();
+  void FlushICacheForNewCodeObjects();
+
   void CommitNewInternalizedStrings(Isolate* isolate);
// Fills in some heap data in an area from start to end (non-inclusive). The 
Index: test/mjsunit/regress/regress-crbug-523308.js
diff --git a/test/mjsunit/regress/regress-crbug-523308.js b/test/mjsunit/regress/regress-crbug-523308.js 
new file mode 100644
index 0000000000000000000000000000000000000000..5715762ed6b57e98c45e551fa6483bd8e5501a34 
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-523308.js
@@ -0,0 +1,10 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var error;
+try { reference_error(); } catch (e) { error = e; }
+toString = error.toString;
+error.__proto__ = [];
+assertEquals("ReferenceError: reference_error is not defined",
+             toString.call(error));


--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
--- You received this message because you are subscribed to the Google Groups "v8-dev" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to