Do not use possibly stale values for cache size, etc.

src/runtime.cc

 // Copyright 2010 the V8 project authors. All rights reserved.
 // Redistribution and use in source and binary forms, with or without
 // modification, are permitted provided that the following conditions are
 // met:
 //
 //     * Redistributions of source code must retain the above copyright
 //       notice, this list of conditions and the following disclaimer.
 //     * Redistributions in binary form must reproduce the above
 //       copyright notice, this list of conditions and the following
 //       disclaimer in the documentation and/or other materials provided
@@ skipping 10636 matching lines @@
   ASSERT(args.length() == 2);
   OS::PrintError("abort: %s\n", reinterpret_cast<char*>(args[0]) +
                                     Smi::cast(args[1])->value());
   Top::PrintStack();
   OS::Abort();
   UNREACHABLE();
   return NULL;
 }
 
 
 MUST_USE_RESULT static MaybeObject* CacheMiss(FixedArray* cache_obj,

[Vitaly Repeshko, 2011/01/17 10:08:33]

The name is probably too generic for this >10K line file.

[antonm, 2011/01/17 16:46:06]

I've inlined this helper into the runtime function :)

-                                              int index,
                                               Object* key_obj) {
-  ASSERT(index % 2 == 0);  // index of the key
-  ASSERT(index >= JSFunctionResultCache::kEntriesIndex);
-  ASSERT(index < cache_obj->length());
-
   HandleScope scope;
 
   Handle<FixedArray> cache(cache_obj);
   Handle<Object> key(key_obj);
   Handle<JSFunction> factory(JSFunction::cast(
         cache->get(JSFunctionResultCache::kFactoryIndex)));
   // TODO(antonm): consider passing a receiver when constructing a cache.
   Handle<Object> receiver(Top::global_context()->global());
 
   Handle<Object> value;
   {
     // This handle is nor shared, nor used later, so it's safe.
     Object** argv[] = { key.location() };
     bool pending_exception = false;
     value = Execution::Call(factory,
                             receiver,
                             1,
                             argv,
                             &pending_exception);
     if (pending_exception) return Failure::Exception();
   }
 
+#ifdef DEBUG
+  Handle<JSFunctionResultCache>::cast(cache)->JSFunctionResultCacheVerify();
+#endif
+
+  // Function invocation can have cleared the cache.  Reread all the data.

[Vitaly Repeshko, 2011/01/17 10:08:33]

nit: "may have" or "might have". "Can have" sounds more like could do, but
didn't.

[antonm, 2011/01/17 16:46:06]

Done.

+  const int finger_index =
+      Smi::cast(cache->get(JSFunctionResultCache::kFingerIndex))->value();
+  const int size =
+      Smi::cast(cache->get(JSFunctionResultCache::kCacheSizeIndex))->value();
+
+  // If we have spare room, put new data into it, otherwise evict post finger
+  // entry which is likely to be least recently used.
+  int index = -1;
+  if (size < cache->length()) {
+    cache->set(JSFunctionResultCache::kCacheSizeIndex, Smi::FromInt(size + 2));
+    index = size;
+  } else {
+    index = finger_index + JSFunctionResultCache::kEntrySize;
+    if (index == cache->length()) {
+      index = JSFunctionResultCache::kEntriesIndex;
+    }
+  }
+
+  ASSERT(index % 2 == 0);
+  ASSERT(index >= JSFunctionResultCache::kEntriesIndex);
+  ASSERT(index < cache_obj->length());
+
   cache->set(index, *key);
   cache->set(index + 1, *value);
   cache->set(JSFunctionResultCache::kFingerIndex, Smi::FromInt(index));
 
+#ifdef DEBUG
+  Handle<JSFunctionResultCache>::cast(cache)->JSFunctionResultCacheVerify();
+#endif
+
   return *value;
 }
 
 
 static MaybeObject* Runtime_GetFromCache(Arguments args) {
   // This is only called from codegen, so checks might be more lax.
   CONVERT_CHECKED(FixedArray, cache, args[0]);
   Object* key = args[1];
 
   const int finger_index =
@@ skipping 20 matching lines @@
   ASSERT(size <= cache->length());
 
   for (int i = size - 2; i > finger_index; i -= 2) {
     o = cache->get(i);
     if (o == key) {
       cache->set(JSFunctionResultCache::kFingerIndex, Smi::FromInt(i));
       return cache->get(i + 1);
     }
   }
 
-  // Cache miss.  If we have spare room, put new data into it, otherwise
-  // evict post finger entry which must be least recently used.
-  if (size < cache->length()) {
-    cache->set(JSFunctionResultCache::kCacheSizeIndex, Smi::FromInt(size + 2));
-    return CacheMiss(cache, size, key);
-  } else {
-    int target_index = finger_index + JSFunctionResultCache::kEntrySize;
-    if (target_index == cache->length()) {
-      target_index = JSFunctionResultCache::kEntriesIndex;
-    }
-    return CacheMiss(cache, target_index, key);
-  }
+  return CacheMiss(cache, key);
 }
 
 #ifdef DEBUG
 // ListNatives is ONLY used by the fuzz-natives.js in debug mode
 // Exclude the code in release mode.
 static MaybeObject* Runtime_ListNatives(Arguments args) {
   ASSERT(args.length() == 0);
   HandleScope scope;
   Handle<JSArray> result = Factory::NewJSArray(0);
   int index = 0;
@@ skipping 111 matching lines @@
   } else {
     // Handle last resort GC and make sure to allow future allocations
     // to grow the heap without causing GCs (if possible).
     Counters::gc_last_resort_from_js.Increment();
     Heap::CollectAllGarbage(false);
   }
 }
 
 
 } }  // namespace v8::internal