[v8-dev] Re: Issue 3282 in v8: V8 crash in dart2js code

[codesite-nore...@google.com via v8-dev]

Comment #5 on issue 3282 by verwa...@chromium.org: V8 crash in dart2js code
http://code.google.com/p/v8/issues/detail?id=3282
This is a pretty old V8 bug as far as I can tell.

The following is a reduced repro:

=====================================
"use strict";
function f1(d) {
  return 1 + f2(f3(d));
}

function f2(v) { return v; }

function f3(d) {
  if (d) %DeoptimizeFunction(f1);
  return 2;
}

%NeverOptimizeFunction(f3);

f1(false);
f1(false);
%OptimizeFunctionOnNextCall(f1);
assertEquals(3, f1(true)));
=====================================


The problem is that the sequence at f2(f3(d)) looks as follows:

=====================================
f3(d)
simulate(after f3, removable);
simulate(after f2, removable);
EnterInlined(f2);
simulate...
...
LeaveInlined(f2);
=====================================

The simulate "after f2" is added to indicate how to restore the state if we  
get a deopt during inlined execution of f2. f1 has to deopt to a pc after  
f2, since a separate frame will be created for f2. When that frame returns,  
we are after f2.

In this form, that simulate isn't directly reachable. Inlined code deopts  
to after EnterInlined, a separate simulate that'll set up a stackframe for  
f2. f3 may lazy deopt to simulate(after f3, removable), and also doesn't  
reach simulate(after f2, removable).

However, the optimization phase HMergeRemovalSimulatesPhase merges forward  
simulate(after f3, removable) into simulate(f2, removable), leaving the  
code as:

=====================================
f3(d)
simulate(after f2, removable);
EnterInlined(f2);
simulate...
...
LeaveInlined(f2);
=====================================

If f3 now lazy deopts, it'll execute until simulate(after f2, removable).  
That particular simulate doesn't alter the stack: it leaves function,  
receiver and arguments on the stack, but it jumps to *after* f2 execution.  
Hence, we'll end up in a state where we expect the return value of f2 on  
the stack, but instead see function, receiver, arguments; and f2 didn't  
even execute!

Will be fixed by https://codereview.chromium.org/257583004/

--
You received this message because this project is configured to send all  
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.