src/x64/lithium-codegen-x64.cc - Issue 14403015: Disallow dereferencing deferred handles when generating optimized code.

Unified Diff: src/x64/lithium-codegen-x64.cc

Issue 14403015: Disallow dereferencing deferred handles when generating optimized code. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge

Patch Set: Created 7 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: src/x64/lithium-codegen-x64.cc

diff --git a/src/x64/lithium-codegen-x64.cc b/src/x64/lithium-codegen-x64.cc

index 054dd606a2241afd811b4ced43118ce2ff100530..b24ec762a0a8f5220341bc78cf333b1bd2fb23ea 100644

--- a/src/x64/lithium-codegen-x64.cc

+++ b/src/x64/lithium-codegen-x64.cc

@@ -483,7 +483,7 @@ void LCodeGen::WriteTranslation(LEnvironment* environment,

pushed_arguments_index,

pushed_arguments_count);

bool has_closure_id = !info()->closure().is_null() &&

- *info()->closure() != *environment->closure();

+ !info()->closure().is_identical_to(environment->closure());

int closure_id = has_closure_id

? DefineDeoptimizationLiteral(environment->closure())

: Translation::kSelfLiteralId;

@@ -800,10 +800,12 @@ void LCodeGen::PopulateDeoptimizationData(Handle<Code> code) {

Handle<FixedArray> literals =

factory()->NewFixedArray(deoptimization_literals_.length(), TENURED);

- for (int i = 0; i < deoptimization_literals_.length(); i++) {

- literals->set(i, *deoptimization_literals_[i]);

+ { ALLOW_HANDLE_DEREF("copying a ZoneList of handles into a FixedArray");

+ for (int i = 0; i < deoptimization_literals_.length(); i++) {

+ literals->set(i, *deoptimization_literals_[i]);

+ }

+ data->SetLiteralArray(*literals);

}

- data->SetLiteralArray(*literals);

data->SetOsrAstId(Smi::FromInt(info_->osr_ast_id().ToInt()));

data->SetOsrPcOffset(Smi::FromInt(osr_pc_offset_));

@@ -1557,6 +1559,7 @@ void LCodeGen::DoConstantD(LConstantD* instr) {

void LCodeGen::DoConstantT(LConstantT* instr) {

Handle<Object> value = instr->value();

+ ALLOW_HANDLE_DEREF("smi check");

if (value->IsSmi()) {

__ Move(ToRegister(instr->result()), value);

} else {

@@ -3313,12 +3316,15 @@ void LCodeGen::DoGlobalReceiver(LGlobalReceiver* instr) {

void LCodeGen::CallKnownFunction(Handle<JSFunction> function,

+ int formal_parameter_count,

int arity,

LInstruction* instr,

CallKind call_kind,

RDIState rdi_state) {

- bool can_invoke_directly = !function->NeedsArgumentsAdaption() ||

- function->shared()->formal_parameter_count() == arity;

+ bool dont_adapt_arguments =

+ formal_parameter_count == SharedFunctionInfo::kDontAdaptArgumentsSentinel;

+ bool can_invoke_directly =

+ dont_adapt_arguments || formal_parameter_count == arity;

LPointerMap* pointers = instr->pointer_map();

RecordPosition(pointers->position());

@@ -3333,13 +3339,13 @@ void LCodeGen::CallKnownFunction(Handle<JSFunction> function,

// Set rax to arguments count if adaption is not needed. Assumes that rax

// is available to write to at this point.

- if (!function->NeedsArgumentsAdaption()) {

+ if (dont_adapt_arguments) {

__ Set(rax, arity);

}

// Invoke function.

__ SetCallKind(rcx, call_kind);

- if (*function == *info()->closure()) {

+ if (function.is_identical_to(info()->closure())) {

__ CallSelf();

} else {

__ call(FieldOperand(rdi, JSFunction::kCodeEntryOffset));

@@ -3352,7 +3358,9 @@ void LCodeGen::CallKnownFunction(Handle<JSFunction> function,

SafepointGenerator generator(

this, pointers, Safepoint::kLazyDeopt);

ParameterCount count(arity);

- __ InvokeFunction(function, count, CALL_FUNCTION, generator, call_kind);

+ ParameterCount expected(formal_parameter_count);

+ __ InvokeFunction(

+ function, expected, count, CALL_FUNCTION, generator, call_kind);

}

// Restore context.

@@ -3362,7 +3370,8 @@ void LCodeGen::CallKnownFunction(Handle<JSFunction> function,

void LCodeGen::DoCallConstantFunction(LCallConstantFunction* instr) {

ASSERT(ToRegister(instr->result()).is(rax));

- CallKnownFunction(instr->function(),

+ CallKnownFunction(instr->hydrogen()->function(),

+ instr->hydrogen()->formal_parameter_count(),

instr->arity(),

instr,

CALL_AS_METHOD,

@@ -3802,7 +3811,8 @@ void LCodeGen::DoInvokeFunction(LInvokeFunction* instr) {

ASSERT(ToRegister(instr->function()).is(rdi));

ASSERT(instr->HasPointerMap());

- if (instr->known_function().is_null()) {

+ Handle<JSFunction> known_function = instr->hydrogen()->known_function();

+ if (known_function.is_null()) {

LPointerMap* pointers = instr->pointer_map();

RecordPosition(pointers->position());

SafepointGenerator generator(this, pointers, Safepoint::kLazyDeopt);

@@ -3810,7 +3820,8 @@ void LCodeGen::DoInvokeFunction(LInvokeFunction* instr) {

__ InvokeFunction(rdi, count, CALL_FUNCTION, generator, CALL_AS_METHOD);

__ movq(rsi, Operand(rbp, StandardFrameConstants::kContextOffset));

} else {

- CallKnownFunction(instr->known_function(),

+ CallKnownFunction(known_function,

+ instr->hydrogen()->formal_parameter_count(),

instr->arity(),

instr,

CALL_AS_METHOD,

@@ -3869,7 +3880,8 @@ void LCodeGen::DoCallGlobal(LCallGlobal* instr) {

void LCodeGen::DoCallKnownGlobal(LCallKnownGlobal* instr) {

ASSERT(ToRegister(instr->result()).is(rax));

- CallKnownFunction(instr->target(),

+ CallKnownFunction(instr->hydrogen()->target(),

+ instr->hydrogen()->formal_parameter_count(),

instr->arity(),

instr,

CALL_AS_FUNCTION,

@@ -4870,6 +4882,7 @@ void LCodeGen::DoCheckInstanceType(LCheckInstanceType* instr) {

void LCodeGen::DoCheckFunction(LCheckFunction* instr) {

Handle<JSFunction> target = instr->hydrogen()->target();

+ ALLOW_HANDLE_DEREF("using raw address");

if (isolate()->heap()->InNewSpace(*target)) {

Handle<JSGlobalPropertyCell> cell =

isolate()->factory()->NewJSGlobalPropertyCell(target);

@@ -4998,16 +5011,12 @@ void LCodeGen::DoAllocateObject(LAllocateObject* instr) {

Handle<JSFunction> constructor = instr->hydrogen()->constructor();

- Handle<Map> initial_map(constructor->initial_map());

+ Handle<Map> initial_map = instr->hydrogen()->constructor_initial_map();

int instance_size = initial_map->instance_size();

ASSERT(initial_map->pre_allocated_property_fields() +

initial_map->unused_property_fields() -

initial_map->inobject_properties() == 0);

- // Allocate memory for the object. The initial map might change when

- // the constructor's prototype changes, but instance size and property

- // counts remain unchanged (if slack tracking finished).

- ASSERT(!constructor->shared()->IsInobjectSlackTrackingInProgress());

__ Allocate(instance_size, result, no_reg, scratch, deferred->entry(),

TAG_OBJECT);

@@ -5058,8 +5067,7 @@ void LCodeGen::DoAllocateObject(LAllocateObject* instr) {

void LCodeGen::DoDeferredAllocateObject(LAllocateObject* instr) {

- Handle<JSFunction> constructor = instr->hydrogen()->constructor();

- Handle<Map> initial_map(constructor->initial_map());

+ Handle<Map> initial_map = instr->hydrogen()->constructor_initial_map();

int instance_size = initial_map->instance_size();

// TODO(3095996): Get rid of this. For now, we need to make the

@@ -5135,7 +5143,7 @@ void LCodeGen::DoDeferredAllocate(LAllocate* instr) {

void LCodeGen::DoArrayLiteral(LArrayLiteral* instr) {

- Handle<FixedArray> literals(instr->environment()->closure()->literals());

+ Handle<FixedArray> literals = instr->hydrogen()->literals();

ElementsKind boilerplate_elements_kind =

instr->hydrogen()->boilerplate_elements_kind();

AllocationSiteMode allocation_site_mode =

@@ -5195,7 +5203,7 @@ void LCodeGen::DoArrayLiteral(LArrayLiteral* instr) {

void LCodeGen::DoObjectLiteral(LObjectLiteral* instr) {

- Handle<FixedArray> literals(instr->environment()->closure()->literals());

+ Handle<FixedArray> literals = instr->hydrogen()->literals();

Handle<FixedArray> constant_properties =

instr->hydrogen()->constant_properties();

@@ -5208,7 +5216,7 @@ void LCodeGen::DoObjectLiteral(LObjectLiteral* instr) {

// Set up the parameters to the stub/runtime call and pick the right

// runtime function or stub to call.

- int properties_count = constant_properties->length() / 2;

+ int properties_count = instr->hydrogen()->constant_properties_length() / 2;

if (instr->hydrogen()->depth() > 1) {

__ PushHeapObject(literals);

__ Push(Smi::FromInt(instr->hydrogen()->literal_index()));

@@ -5293,19 +5301,18 @@ void LCodeGen::DoRegExpLiteral(LRegExpLiteral* instr) {

void LCodeGen::DoFunctionLiteral(LFunctionLiteral* instr) {

// Use the fast case closure allocation code that allocates in new

// space for nested functions that don't need literals cloning.

- Handle<SharedFunctionInfo> shared_info = instr->shared_info();

+ Handle<SharedFunctionInfo> shared_info = instr->hydrogen()->shared_info();

bool pretenure = instr->hydrogen()->pretenure();

- if (!pretenure && shared_info->num_literals() == 0) {

- FastNewClosureStub stub(shared_info->language_mode(),

- shared_info->is_generator());

+ if (!pretenure && instr->hydrogen()->has_no_literals()) {

+ FastNewClosureStub stub(instr->hydrogen()->language_mode(),

+ instr->hydrogen()->is_generator());

__ Push(shared_info);

CallCode(stub.GetCode(isolate()), RelocInfo::CODE_TARGET, instr);

} else {

__ push(rsi);

__ Push(shared_info);

- __ PushRoot(pretenure ?

- Heap::kTrueValueRootIndex :

- Heap::kFalseValueRootIndex);

+ __ PushRoot(pretenure ? Heap::kTrueValueRootIndex :

+ Heap::kFalseValueRootIndex);

CallRuntime(Runtime::kNewClosure, 3, instr);

}

@@ -5322,6 +5329,7 @@ void LCodeGen::EmitPushTaggedOperand(LOperand* operand) {

ASSERT(!operand->IsDoubleRegister());

if (operand->IsConstantOperand()) {

Handle<Object> object = ToHandle(LConstantOperand::cast(operand));

+ ALLOW_HANDLE_DEREF("smi check");

if (object->IsSmi()) {

__ Push(Handle<Smi>::cast(object));

} else {

« src/isolate.cc ('K') | « src/x64/lithium-codegen-x64.h ('k') | src/x64/lithium-x64.h » ('j') | no next file with comments »