src/full-codegen/x64/full-codegen-x64.cc - Issue 1334673003: Add instrumentation to track down a crasher

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: src/full-codegen/x64/full-codegen-x64.cc

Issue 1334673003: Add instrumentation to track down a crasher (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master

Patch Set: save receiver and push it before crashing Created 5 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/full-codegen/x64/full-codegen-x64.cc

diff --git a/src/full-codegen/x64/full-codegen-x64.cc b/src/full-codegen/x64/full-codegen-x64.cc

index d5e630e297e1f9d9c4a10b6b85cb74bd7d00e24e..f9af3c7cb5725671178c7e79d00a772ccbed0d04 100644

--- a/src/full-codegen/x64/full-codegen-x64.cc

+++ b/src/full-codegen/x64/full-codegen-x64.cc

@@ -2243,10 +2243,46 @@ void FullCodeGenerator::EmitNamedPropertyLoad(Property* prop) {

Literal* key = prop->key()->AsLiteral();

DCHECK(!prop->IsSuperAccess());

+ // See comment below.

+ if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {

+ __ Push(LoadDescriptor::ReceiverRegister());

+ }

__ Move(LoadDescriptor::NameRegister(), key->value());

__ Move(LoadDescriptor::SlotRegister(),

SmiFromSlot(prop->PropertyFeedbackSlot()));

CallLoadIC(NOT_INSIDE_TYPEOF, language_mode());

+ // Sanity check: The loaded value must be a JS-exposed kind of object,

+ // not something internal (like a Map, or FixedArray). Check this here

+ // to chase after a rare but recurring crash bug. It seems to always

+ // occur for functions beginning with "this.foo.bar()", so be selective

+ // and only insert the check for the first LoadIC (identified by slot).

+ // TODO(jkummerow): Remove this when it has generated a few crash reports.

+ // Don't forget to remove the Push() above as well!

+ if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {

+ __ Pop(LoadDescriptor::ReceiverRegister());

+ Label ok;

+ __ JumpIfSmi(rax, &ok, Label::kNear);

+ __ movp(rbx, FieldOperand(rax, HeapObject::kMapOffset));

+ __ CmpInstanceType(rbx, LAST_PRIMITIVE_TYPE);

+ __ j(below_equal, &ok, Label::kNear);

+ __ CmpInstanceType(rbx, FIRST_JS_RECEIVER_TYPE);

+ __ j(above_equal, &ok, Label::kNear);

+ __ Push(Smi::FromInt(0xaabbccdd));

+ __ Push(LoadDescriptor::ReceiverRegister());

+ __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),

+ HeapObject::kMapOffset));

+ __ Push(rbx);

+ __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),

+ JSObject::kPropertiesOffset));

+ __ Push(rbx);

+ __ int3();

+ __ bind(&ok);

+ }

}

« no previous file with comments | « no previous file | src/ic/ic.cc » ('j') | no next file with comments »