[deoptimizer] Fix TranslatedState inline frame indexing.

This makes sure that helper methods on the {TranslatedState} class stick to the counting scheme used by {OptimizedFrame::Summarize} within the stack-walker. Both now treat {kJavaScriptBuiltinContinuation} as real JavaScript frames. R=jarin@chromium.org TEST=mjsunit/regress/regress-crbug-770543 BUG=chromium:770543 Change-Id: Icda65a7efb487470d39ebf648767a488ebf2e5f1 Reviewed-on: https://chromium-review.googlesource.com/695123 Commit-Queue: Michael Starzinger <mstarzinger@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#48264}
paul99 · Oct 2, 2017 · 631489b · 631489b
1 parent 1fa0f9b
commit 631489b
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
@@ -3956,7 +3956,8 @@ Handle<Object> TranslatedState::MaterializeObjectAt(int object_index) {
 
 TranslatedFrame* TranslatedState::GetFrameFromJSFrameIndex(int jsframe_index) {
  for (size_t i = 0; i < frames_.size(); i++) {
- if (frames_[i].kind() == TranslatedFrame::kInterpretedFunction) {
+ if (frames_[i].kind() == TranslatedFrame::kInterpretedFunction ||
+ frames_[i].kind() == TranslatedFrame::kJavaScriptBuiltinContinuation) {
  if (jsframe_index > 0) {
  jsframe_index--;
  } else {
@@ -3970,7 +3971,8 @@ TranslatedFrame* TranslatedState::GetFrameFromJSFrameIndex(int jsframe_index) {
 TranslatedFrame* TranslatedState::GetArgumentsInfoFromJSFrameIndex(
  int jsframe_index, int* args_count) {
  for (size_t i = 0; i < frames_.size(); i++) {
- if (frames_[i].kind() == TranslatedFrame::kInterpretedFunction) {
+ if (frames_[i].kind() == TranslatedFrame::kInterpretedFunction ||
+ frames_[i].kind() == TranslatedFrame::kJavaScriptBuiltinContinuation) {
  if (jsframe_index > 0) {
  jsframe_index--;
  } else {

diff --git a/test/mjsunit/regress/regress-crbug-770543.js b/test/mjsunit/regress/regress-crbug-770543.js
@@ -0,0 +1,31 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+(function FunctionCallerFromInlinedBuiltin() {
+ function f() {
+ function g() {
+ Object.getOwnPropertyDescriptor(g, "caller");
+ };
+ [0].forEach(g);
+ }
+ f();
+ f();
+ %OptimizeFunctionOnNextCall(f);
+ f();
+})();
+
+(function FunctionArgumentsFromInlinedBuiltin() {
+ function g() {
+ g.arguments;
+ }
+ function f() {
+ [0].forEach(g);
+ }
+ f();
+ f();
+ %OptimizeFunctionOnNextCall(f);
+ f();
+})();