Add stack overflow check for inlined property getter

We should check for overflow for each inlined property getter;
otherwise, we can get an overflow from inlining property getter while
still having pending overflow exception from some previous inlined
getter (in the same polymorphic access).

R=verwaest@chromium.org
TEST=test/mjsunit/regress/regress-inline-getter-near-stack-limit.js

Review URL: https://codereview.chromium.org/220813003

git-svn-id: http://v8.googlecode.com/svn/branches/bleeding_edge@20588 ce2b1a6d-e550-0410-aec6-3dcde31c8c00

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index d759b65..8ce614f 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -5649,7 +5649,7 @@ HInstruction* HOptimizedGraphBuilder::BuildMonomorphicAccess(
           ? TryInlineGetter(info->accessor(), info->map(), ast_id, return_id)
           : TryInlineSetter(
               info->accessor(), info->map(), ast_id, return_id, value);
-      if (success) return NULL;
+      if (success || HasStackOverflow()) return NULL;
     }
 
     PushArgumentsFromEnvironment(argument_count);

diff --git a/test/mjsunit/regress/regress-inline-getter-near-stack-limit.js b/test/mjsunit/regress/regress-inline-getter-near-stack-limit.js
new file mode 100644 (file)
index 0000000..d459a7a
--- /dev/null
+++ b/test/mjsunit/regress/regress-inline-getter-near-stack-limit.js
@@ -0,0 +1,24 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function runNearStackLimit(f) {
+  function t() {
+    try { t(); } catch(e) { f(); }
+  };
+  try { t(); } catch(e) {}
+}
+
+function g(x) { return x.bar; }
+function f1() { }
+function f2() { }
+
+var x = Object.defineProperty({}, "bar", { get: f1 });
+g(x);
+g(x);
+var y = Object.defineProperty({}, "bar", { get: f2 });
+g(y);
+%OptimizeFunctionOnNextCall(g);
+runNearStackLimit(function() { g(y); });