From fa922b9be434aa42c574090daf6eed821578333e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Fri, 24 Nov 2017 22:34:08 +0100 Subject: [PATCH] deps: backport 4af8029 from upstream V8 Original commit message: [turbofan] Fix missing lazy deopt in object literals. This adds a missing lazy bailout point when defining data properties with computed property names in object literals. The runtime call to Runtime::kDefineDataPropertyInLiteral can trigger deopts. The necessary bailout ID already exists and is now properly used. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-621816 BUG=chromium:621816 Review-Url: https://codereview.chromium.org/2099133003 Cr-Commit-Position: refs/heads/master@{#37294} Refs: https://github.com/v8/v8/commit/4af80298b66f6dc0abd7fbab93f377755388d065 PR-URL: https://github.com/nodejs/node/pull/17290 Fixes: https://github.com/nodejs/node/issues/14326 Reviewed-By: Franziska Hinkelmann Reviewed-By: Ben Noordhuis --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/compiler/ast-graph-builder.cc | 6 ++++-- deps/v8/src/compiler/linkage.cc | 1 - .../src/full-codegen/arm/full-codegen-arm.cc | 2 ++ .../full-codegen/arm64/full-codegen-arm64.cc | 2 ++ .../src/full-codegen/ia32/full-codegen-ia32.cc | 2 ++ .../src/full-codegen/mips/full-codegen-mips.cc | 2 ++ .../full-codegen/mips64/full-codegen-mips64.cc | 2 ++ .../src/full-codegen/ppc/full-codegen-ppc.cc | 2 ++ .../src/full-codegen/s390/full-codegen-s390.cc | 2 ++ .../src/full-codegen/x64/full-codegen-x64.cc | 2 ++ .../src/full-codegen/x87/full-codegen-x87.cc | 2 ++ .../mjsunit/regress/regress-crbug-621816.js | 18 ++++++++++++++++++ 13 files changed, 41 insertions(+), 4 deletions(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-crbug-621816.js diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index e7931da11e423f..f5e1bcbd30bd20 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 5 #define V8_MINOR_VERSION 1 #define V8_BUILD_NUMBER 281 -#define V8_PATCH_LEVEL 108 +#define V8_PATCH_LEVEL 109 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/compiler/ast-graph-builder.cc b/deps/v8/src/compiler/ast-graph-builder.cc index 89bb61949a0b04..e67a5236447dff 100644 --- a/deps/v8/src/compiler/ast-graph-builder.cc +++ b/deps/v8/src/compiler/ast-graph-builder.cc @@ -1620,7 +1620,8 @@ void AstGraphBuilder::VisitClassLiteralContents(ClassLiteral* expr) { jsgraph()->Constant(property->NeedsSetFunctionName()); const Operator* op = javascript()->CallRuntime(Runtime::kDefineDataPropertyInLiteral); - NewNode(op, receiver, key, value, attr, set_function_name); + Node* call = NewNode(op, receiver, key, value, attr, set_function_name); + PrepareFrameState(call, BailoutId::None()); break; } case ObjectLiteral::Property::GETTER: { @@ -1870,7 +1871,8 @@ void AstGraphBuilder::VisitObjectLiteral(ObjectLiteral* expr) { jsgraph()->Constant(property->NeedsSetFunctionName()); const Operator* op = javascript()->CallRuntime(Runtime::kDefineDataPropertyInLiteral); - NewNode(op, receiver, key, value, attr, set_function_name); + Node* call = NewNode(op, receiver, key, value, attr, set_function_name); + PrepareFrameState(call, expr->GetIdForPropertySet(property_index)); break; } case ObjectLiteral::Property::PROTOTYPE: diff --git a/deps/v8/src/compiler/linkage.cc b/deps/v8/src/compiler/linkage.cc index 105bd353fca480..7627f09d150642 100644 --- a/deps/v8/src/compiler/linkage.cc +++ b/deps/v8/src/compiler/linkage.cc @@ -145,7 +145,6 @@ int Linkage::FrameStateInputCount(Runtime::FunctionId function) { switch (function) { case Runtime::kAllocateInTargetSpace: case Runtime::kCreateIterResultObject: - case Runtime::kDefineDataPropertyInLiteral: case Runtime::kDefineGetterPropertyUnchecked: // TODO(jarin): Is it safe? case Runtime::kDefineSetterPropertyUnchecked: // TODO(jarin): Is it safe? case Runtime::kFinalizeClassDefinition: // TODO(conradw): Is it safe? diff --git a/deps/v8/src/full-codegen/arm/full-codegen-arm.cc b/deps/v8/src/full-codegen/arm/full-codegen-arm.cc index 81c5ff2ae7704a..f687da72624cbc 100644 --- a/deps/v8/src/full-codegen/arm/full-codegen-arm.cc +++ b/deps/v8/src/full-codegen/arm/full-codegen-arm.cc @@ -1572,6 +1572,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/src/full-codegen/arm64/full-codegen-arm64.cc b/deps/v8/src/full-codegen/arm64/full-codegen-arm64.cc index aa67117a7f4920..547863125d1420 100644 --- a/deps/v8/src/full-codegen/arm64/full-codegen-arm64.cc +++ b/deps/v8/src/full-codegen/arm64/full-codegen-arm64.cc @@ -1557,6 +1557,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/src/full-codegen/ia32/full-codegen-ia32.cc b/deps/v8/src/full-codegen/ia32/full-codegen-ia32.cc index f1945c897cf2e2..3e56b615a43bf2 100644 --- a/deps/v8/src/full-codegen/ia32/full-codegen-ia32.cc +++ b/deps/v8/src/full-codegen/ia32/full-codegen-ia32.cc @@ -1493,6 +1493,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/src/full-codegen/mips/full-codegen-mips.cc b/deps/v8/src/full-codegen/mips/full-codegen-mips.cc index f329a23d00c97a..91a856b8c51217 100644 --- a/deps/v8/src/full-codegen/mips/full-codegen-mips.cc +++ b/deps/v8/src/full-codegen/mips/full-codegen-mips.cc @@ -1569,6 +1569,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/src/full-codegen/mips64/full-codegen-mips64.cc b/deps/v8/src/full-codegen/mips64/full-codegen-mips64.cc index 681abd12303222..278f589089eecc 100644 --- a/deps/v8/src/full-codegen/mips64/full-codegen-mips64.cc +++ b/deps/v8/src/full-codegen/mips64/full-codegen-mips64.cc @@ -1570,6 +1570,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/src/full-codegen/ppc/full-codegen-ppc.cc b/deps/v8/src/full-codegen/ppc/full-codegen-ppc.cc index 301ccf53cc3000..9f403f4ac8198e 100644 --- a/deps/v8/src/full-codegen/ppc/full-codegen-ppc.cc +++ b/deps/v8/src/full-codegen/ppc/full-codegen-ppc.cc @@ -1532,6 +1532,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/src/full-codegen/s390/full-codegen-s390.cc b/deps/v8/src/full-codegen/s390/full-codegen-s390.cc index 88bec4cab6e63f..8c8a84707771e1 100644 --- a/deps/v8/src/full-codegen/s390/full-codegen-s390.cc +++ b/deps/v8/src/full-codegen/s390/full-codegen-s390.cc @@ -1491,6 +1491,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/src/full-codegen/x64/full-codegen-x64.cc b/deps/v8/src/full-codegen/x64/full-codegen-x64.cc index 992e7fe4f72dd8..775c721db374d7 100644 --- a/deps/v8/src/full-codegen/x64/full-codegen-x64.cc +++ b/deps/v8/src/full-codegen/x64/full-codegen-x64.cc @@ -1518,6 +1518,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/src/full-codegen/x87/full-codegen-x87.cc b/deps/v8/src/full-codegen/x87/full-codegen-x87.cc index f14aaf69b02d97..54130e9f630c97 100644 --- a/deps/v8/src/full-codegen/x87/full-codegen-x87.cc +++ b/deps/v8/src/full-codegen/x87/full-codegen-x87.cc @@ -1485,6 +1485,8 @@ void FullCodeGenerator::VisitObjectLiteral(ObjectLiteral* expr) { PushOperand(Smi::FromInt(NONE)); PushOperand(Smi::FromInt(property->NeedsSetFunctionName())); CallRuntimeWithOperands(Runtime::kDefineDataPropertyInLiteral); + PrepareForBailoutForId(expr->GetIdForPropertySet(property_index), + NO_REGISTERS); } else { DropOperands(3); } diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-621816.js b/deps/v8/test/mjsunit/regress/regress-crbug-621816.js new file mode 100644 index 00000000000000..ca7f5ac6df314f --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-621816.js @@ -0,0 +1,18 @@ +// Copyright 2016 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --turbo + +function f() { + var o = {}; + o.a = 1; +} +function g() { + var o = { ['a']: function(){} }; + f(); +} +f(); +f(); +%OptimizeFunctionOnNextCall(g); +g();