Reviewers: Toon Verwaest,
Description:
Add stack overflow check for inlined property getter
We should check for overflow for each inlined property getter;
otherwise, we can get an overflow from inlining property getter while
still having pending overflow exception from some previous inlined
getter (in the same polymorphic access).
[email protected]
TEST=test/mjsunit/regress/regress-inline-getter-near-stack-limit.js
Please review this at https://codereview.chromium.org/220813003/
SVN Base: https://v8.googlecode.com/svn/branches/bleeding_edge
Affected files (+25, -1 lines):
M src/hydrogen.cc
A test/mjsunit/regress/regress-inline-getter-near-stack-limit.js
Index: src/hydrogen.cc
diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index
24c2ab40b64445905df381b9213a3e8695b97b36..25cb86ac9ea1ce003403e56e5f9645aff2aa2618
100644
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -5647,7 +5647,7 @@ HInstruction*
HOptimizedGraphBuilder::BuildMonomorphicAccess(
? TryInlineGetter(info->accessor(), info->map(), ast_id,
return_id)
: TryInlineSetter(
info->accessor(), info->map(), ast_id, return_id, value);
- if (success) return NULL;
+ if (success || HasStackOverflow()) return NULL;
}
PushArgumentsFromEnvironment(argument_count);
Index: test/mjsunit/regress/regress-inline-getter-near-stack-limit.js
diff --git a/test/mjsunit/regress/regress-inline-getter-near-stack-limit.js
b/test/mjsunit/regress/regress-inline-getter-near-stack-limit.js
new file mode 100644
index
0000000000000000000000000000000000000000..d459a7a8d3e6d1c89be08c544245723a5a084b11
--- /dev/null
+++ b/test/mjsunit/regress/regress-inline-getter-near-stack-limit.js
@@ -0,0 +1,24 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function runNearStackLimit(f) {
+ function t() {
+ try { t(); } catch(e) { f(); }
+ };
+ try { t(); } catch(e) {}
+}
+
+function g(x) { return x.bar; }
+function f1() { }
+function f2() { }
+
+var x = Object.defineProperty({}, "bar", { get: f1 });
+g(x);
+g(x);
+var y = Object.defineProperty({}, "bar", { get: f2 });
+g(y);
+%OptimizeFunctionOnNextCall(g);
+runNearStackLimit(function() { g(y); });
--
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
