Issue 2368: LiveEdit crashes when new object/array literal is added

src/liveedit.cc

 // Copyright 2012 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 685 matching lines @@
 
 // Represents some function compilation details. This structure will be used
 // from JavaScript. It contains Code object, which is kept wrapped
 // into a BlindReference for sanitizing reasons.
 class FunctionInfoWrapper : public JSArrayBasedStruct<FunctionInfoWrapper> {
  public:
   explicit FunctionInfoWrapper(Handle<JSArray> array)
       : JSArrayBasedStruct<FunctionInfoWrapper>(array) {
   }
   void SetInitialProperties(Handle<String> name, int start_position,
-                            int end_position, int param_num, int parent_index) {
+                            int end_position, int param_num,
+                            int literal_count, int parent_index) {
     HandleScope scope;
     this->SetField(kFunctionNameOffset_, name);
     this->SetSmiValueField(kStartPositionOffset_, start_position);
     this->SetSmiValueField(kEndPositionOffset_, end_position);
     this->SetSmiValueField(kParamNumOffset_, param_num);
+    this->SetSmiValueField(kLiteralNumOffset_, literal_count);
     this->SetSmiValueField(kParentIndexOffset_, parent_index);
   }
   void SetFunctionCode(Handle<Code> function_code,
       Handle<Object> code_scope_info) {
     Handle<JSValue> code_wrapper = WrapInJSValue(function_code);
     this->SetField(kCodeOffset_, code_wrapper);
 
     Handle<JSValue> scope_wrapper = WrapInJSValue(code_scope_info);
     this->SetField(kCodeScopeInfoOffset_, scope_wrapper);
   }
   void SetOuterScopeInfo(Handle<Object> scope_info_array) {
     this->SetField(kOuterScopeInfoOffset_, scope_info_array);
   }
   void SetSharedFunctionInfo(Handle<SharedFunctionInfo> info) {
     Handle<JSValue> info_holder = WrapInJSValue(info);
     this->SetField(kSharedFunctionInfoOffset_, info_holder);
   }
+  int GetLiteralCount() {
+    return this->GetSmiValueField(kLiteralNumOffset_);
+  }
   int GetParentIndex() {
     return this->GetSmiValueField(kParentIndexOffset_);
   }
   Handle<Code> GetFunctionCode() {
     Object* element = this->GetField(kCodeOffset_);
     CHECK(element->IsJSValue());
     Handle<JSValue> value_wrapper(JSValue::cast(element));
     Handle<Object> raw_result = UnwrapJSValue(value_wrapper);
     CHECK(raw_result->IsCode());
     return Handle<Code>::cast(raw_result);
@@ skipping 13 matching lines @@
  private:
   static const int kFunctionNameOffset_ = 0;
   static const int kStartPositionOffset_ = 1;
   static const int kEndPositionOffset_ = 2;
   static const int kParamNumOffset_ = 3;
   static const int kCodeOffset_ = 4;
   static const int kCodeScopeInfoOffset_ = 5;
   static const int kOuterScopeInfoOffset_ = 6;
   static const int kParentIndexOffset_ = 7;
   static const int kSharedFunctionInfoOffset_ = 8;
-  static const int kSize_ = 9;
+  static const int kLiteralNumOffset_ = 9;
+  static const int kSize_ = 10;
 
   friend class JSArrayBasedStruct<FunctionInfoWrapper>;
 };
 
 
 // Wraps SharedFunctionInfo along with some of its fields for passing it
 // back to JavaScript. SharedFunctionInfo object itself is additionally
 // wrapped into BlindReference for sanitizing reasons.
 class SharedInfoWrapper : public JSArrayBasedStruct<SharedInfoWrapper> {
  public:
@@ skipping 39 matching lines @@
     current_parent_index_ = -1;
     len_ = 0;
     result_ = FACTORY->NewJSArray(10);
   }
 
   void FunctionStarted(FunctionLiteral* fun) {
     HandleScope scope;
     FunctionInfoWrapper info = FunctionInfoWrapper::Create();
     info.SetInitialProperties(fun->name(), fun->start_position(),
                               fun->end_position(), fun->parameter_count(),
+                              fun->materialized_literal_count(),
                               current_parent_index_);
     current_parent_index_ = len_;
     SetElementNonStrict(result_, len_, info.GetJSArray());
     len_++;
   }
 
   void FunctionDone() {
     HandleScope scope;
     FunctionInfoWrapper info =
         FunctionInfoWrapper::cast(
@@ skipping 175 matching lines @@
 
   // Now iterate over all pointers of all objects, including code_target
   // implicit pointers.
   HeapIterator iterator;
   for (HeapObject* obj = iterator.next(); obj != NULL; obj = iterator.next()) {
     obj->Iterate(&visitor);
   }
 }
 
 
+// Finds all instances of JSFunction that refers to the provided shared_info.
+// Return their number and optionally writes them into output array.
+static int FindJSFunctions(Handle<SharedFunctionInfo> shared_info,
+                           Handle<FixedArray> output) {
+  int pos = 0;
+
+  AssertNoAllocation no_allocations_please;
+
+  SharedFunctionInfo* shared_info_raw = *shared_info;
+  HeapIterator iterator;
+  for (HeapObject* obj = iterator.next(); obj != NULL; obj = iterator.next()) {
+    if (obj->IsJSFunction()) {
+      JSFunction* function = JSFunction::cast(obj);
+      if (function->shared() == shared_info_raw) {
+        if (!output.is_null()) {
+          output->set(pos, function);
+        }
+        pos++;
+      }
+    }
+  }
+  return pos;
+}
+
+
+// Finds all instances of JSFunction that refers to the provided shared_info
+// and returns array with them.
+static Handle<FixedArray> CollectJSFunctions(
+    Handle<SharedFunctionInfo> shared_info, Isolate* isolate) {
+  int size = FindJSFunctions(shared_info, Handle<FixedArray>::null());
+  Handle<FixedArray> result = isolate->factory()->NewFixedArray(size);
+  if (size > 0) {
+    FindJSFunctions(shared_info, result);

[Yang, 2012/10/23 16:10:31]

Running twice over the heap seems really inefficient.

[Peter Rybin, 2012/11/11 03:28:47]

In fact I only copy how Runtime_DebugReferencedBy works. We cannot allocate
buffer when iterating and we cannot put found pointers in Zone, because they
must be wrapped as handles.

However I totally refactored the code to separately support a most probably case
when literal count didn't change -- we can perform this by a single heap
iteration.

+  }
+  return result;
+}
+
+
 // Check whether the code is natural function code (not a lazy-compile stub
 // code).
 static bool IsJSFunctionCode(Code* code) {
   return code->kind() == Code::FUNCTION;
 }
 
 
 // Returns true if an instance of candidate were inlined into function's code.
 static bool IsInlined(JSFunction* function, SharedFunctionInfo* candidate) {
   AssertNoAllocation no_gc;
@@ skipping 46 matching lines @@
 
   DependentFunctionsDeoptimizingVisitor visitor(function_info);
   Deoptimizer::VisitAllOptimizedFunctions(&visitor);
 }
 
 
 MaybeObject* LiveEdit::ReplaceFunctionCode(
     Handle<JSArray> new_compile_info_array,
     Handle<JSArray> shared_info_array) {
   HandleScope scope;
+  Isolate* isolate = Isolate::Current();
 
   if (!SharedInfoWrapper::IsInstance(shared_info_array)) {
-    return Isolate::Current()->ThrowIllegalOperation();
+    return isolate->ThrowIllegalOperation();
   }
 
   FunctionInfoWrapper compile_info_wrapper(new_compile_info_array);
   SharedInfoWrapper shared_info_wrapper(shared_info_array);
 
   Handle<SharedFunctionInfo> shared_info = shared_info_wrapper.GetInfo();
 
   HEAP->EnsureHeapIsIterable();
 
   if (IsJSFunctionCode(shared_info->code())) {
@@ skipping 10 matching lines @@
     Handle<Code> new_original_code =
         FACTORY->CopyCode(compile_info_wrapper.GetFunctionCode());
     debug_info->set_original_code(*new_original_code);
   }
 
   int start_position = compile_info_wrapper.GetStartPosition();
   int end_position = compile_info_wrapper.GetEndPosition();
   shared_info->set_start_position(start_position);
   shared_info->set_end_position(end_position);
 
+  // Patch function literals.
+  // TODO(prybin): is the following legit?
+  // Name 'literals' is a misnomer. Rather it's a cache for complex object
+  // boilerplates and for a native context. We must clean cached values or
+  // adjust array size.

[Yang, 2012/10/23 16:10:31]

Wouldn't adjusting array size imply cleaning cached values as well? Please add
that to the comment.

[Peter Rybin, 2012/11/11 03:28:47]

Done.

+  {
+    int new_literal_count = compile_info_wrapper.GetLiteralCount();
+    if (new_literal_count > 0) {
+      new_literal_count += JSFunction::kLiteralsPrefixSize;
+    }
+    shared_info->set_num_literals(new_literal_count);
+
+    Handle<FixedArray> function_instances =
+        CollectJSFunctions(shared_info, isolate);
+    for (int i = 0; i < function_instances->length(); i++) {

[Yang, 2012/10/23 16:10:31]

Instead of looping over function instances that you have to tediously gather,
couldn't you iterate over the heap here and skip every object that is not a
function instance of shared_info? That way you wouldn't need to allocate a new
FixedArray and wouldn't need to iterate the heap twice to find out that
FixedArray's size.

[Peter Rybin, 2012/11/11 03:28:47]

I have to update literal array, and possibly create a new one -- an operation
impossible when iterating heap (as I understand).

+      Handle<JSFunction> fun(JSFunction::cast(function_instances->get(i)));
+      Handle<FixedArray> old_literals(fun->literals());
+      if (old_literals->length() == new_literal_count) {
+        for (int j = JSFunction::kLiteralsPrefixSize;
+            j < new_literal_count; j++) {
+          old_literals->set(j, isolate->heap()->undefined_value());

[Yang, 2012/10/23 16:10:31]

I guess you could use FixedArray->set_undefined here.

[Peter Rybin, 2012/11/11 03:28:47]

Done.

+        }
+      } else {
+        Handle<FixedArray> new_literals =
+            isolate->factory()->NewFixedArray(new_literal_count);
+        if (new_literal_count > 0) {
+          Handle<Context> native_context;
+          if (old_literals->length() >
+              JSFunction::kLiteralNativeContextIndex) {
+            native_context = Handle<Context>(
+                JSFunction::NativeContextFromLiterals(fun->literals()));
+          } else {
+            native_context = Handle<Context>(fun->context()->native_context());
+          }
+          new_literals->set(JSFunction::kLiteralNativeContextIndex,
+              *native_context);
+        }
+        fun->set_literals(*new_literals);
+      }

[Yang, 2012/10/23 16:10:31]

I assume that we are not dealing with optimized code here, right? In that case
only, clearing the literals array is safe (according to mstarzinger@).

[Peter Rybin, 2012/11/11 03:28:47]

May be it more safe to always create an accurate literal array. I don't do a lot
of asserts about optimized/non-optimized.

+    }
+  }
+
   shared_info->set_construct_stub(
       Isolate::Current()->builtins()->builtin(
           Builtins::kJSConstructStubGeneric));
 
   DeoptimizeDependentFunctions(*shared_info);
   Isolate::Current()->compilation_cache()->Remove(shared_info);
 
   return HEAP->undefined_value();
 }
 
@@ skipping 795 matching lines @@
 
 bool LiveEditFunctionTracker::IsActive(Isolate* isolate) {
   return false;
 }
 
 #endif  // ENABLE_DEBUGGER_SUPPORT
 
 
 
 } }  // namespace v8::internal