Remove crash-hunting instrumentation that has served its purpose.

BUG=chromium:527994
LOG=n

Review URL: https://codereview.chromium.org/1358393004

Cr-Commit-Position: refs/heads/master@{#30889}

diff --git a/src/builtins.cc b/src/builtins.cc
index 496b5e5bbe6e547681af7dfe065eac7a7ea72f52..87f1037ceae6e5f5dd8569932bf94f71b1bcfef9 100644 (file)
--- a/src/builtins.cc
+++ b/src/builtins.cc
@@ -1739,7 +1739,7 @@ BUILTIN(HandleApiCallAsConstructor) {
 
 
 static void Generate_LoadIC_Miss(MacroAssembler* masm) {
-  LoadIC::GenerateMiss(masm, LoadIC::kStressBuiltin);
+  LoadIC::GenerateMiss(masm);
 }
 
 

diff --git a/src/full-codegen/x64/full-codegen-x64.cc b/src/full-codegen/x64/full-codegen-x64.cc
index 6d7a5e1d086d2088349a189fe3e6850c8ff36cc3..d3a9fdef2b97612c5ca4277cf2ac0ac334f17f2e 100644 (file)
--- a/src/full-codegen/x64/full-codegen-x64.cc
+++ b/src/full-codegen/x64/full-codegen-x64.cc
@@ -2242,47 +2242,10 @@ void FullCodeGenerator::EmitNamedPropertyLoad(Property* prop) {
   Literal* key = prop->key()->AsLiteral();
   DCHECK(!prop->IsSuperAccess());
 
-  // See comment below.
-  if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {
-    __ Push(LoadDescriptor::ReceiverRegister());
-  }
-
   __ Move(LoadDescriptor::NameRegister(), key->value());
   __ Move(LoadDescriptor::SlotRegister(),
           SmiFromSlot(prop->PropertyFeedbackSlot()));
   CallLoadIC(NOT_INSIDE_TYPEOF, language_mode());
-
-  // Sanity check: The loaded value must be a JS-exposed kind of object,
-  // not something internal (like a Map, or FixedArray). Check this here
-  // to chase after a rare but recurring crash bug. It seems to always
-  // occur for functions beginning with "this.foo.bar()", so be selective
-  // and only insert the check for the first LoadIC (identified by slot).
-  // TODO(chromium:527994): Remove this when we have a few crash reports.
-  // Don't forget to remove the Push() above as well!
-  if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {
-    __ Pop(LoadDescriptor::ReceiverRegister());
-
-    Label ok, sound_alarm;
-    __ JumpIfSmi(rax, &ok, Label::kNear);
-    __ movp(rbx, FieldOperand(rax, HeapObject::kMapOffset));
-    __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
-    __ j(equal, &sound_alarm);
-    __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
-    __ j(not_equal, &ok, Label::kNear);
-
-    __ bind(&sound_alarm);
-    __ Push(Smi::FromInt(0xaabbccdd));
-    __ Push(LoadDescriptor::ReceiverRegister());
-    __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),
-                              HeapObject::kMapOffset));
-    __ Push(rbx);
-    __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),
-                              JSObject::kPropertiesOffset));
-    __ Push(rbx);
-    __ int3();
-
-    __ bind(&ok);
-  }
 }
 
 

diff --git a/src/hydrogen.cc b/src/hydrogen.cc
index eef51e5d952ceddd572edc2e05cd03a3fde2e52c..5f1af6be3f972e4d70496c9e45c0817d891ec693 100644 (file)
--- a/src/hydrogen.cc
+++ b/src/hydrogen.cc
@@ -9626,29 +9626,6 @@ void HOptimizedGraphBuilder::VisitCall(Call* expr) {
     CHECK_ALIVE(VisitForValue(prop->obj()));
     HValue* receiver = Top();
 
-    // Sanity check: The receiver must be a JS-exposed kind of object,
-    // not something internal (like a Map, or FixedArray). Check this here
-    // to chase after a rare but recurring crash bug. It seems to always
-    // occur for functions beginning with "this.foo.bar()", so be selective
-    // and only insert the check for the first call (identified by slot).
-    // TODO(chromium:527994): Remove this when we have a few crash reports.
-    if (prop->key()->IsPropertyName() &&
-        prop->PropertyFeedbackSlot().ToInt() == 2) {
-      IfBuilder if_heapobject(this);
-      if_heapobject.IfNot<HIsSmiAndBranch>(receiver);
-      if_heapobject.Then();
-      {
-        IfBuilder special_map(this);
-        Factory* factory = isolate()->factory();
-        special_map.If<HCompareMap>(receiver, factory->fixed_array_map());
-        special_map.OrIf<HCompareMap>(receiver, factory->meta_map());
-        special_map.Then();
-        Add<HDebugBreak>();
-        special_map.End();
-      }
-      if_heapobject.End();
-    }
-
     SmallMapList* maps;
     ComputeReceiverTypes(expr, receiver, &maps, zone());
 

diff --git a/src/ic/arm/ic-arm.cc b/src/ic/arm/ic-arm.cc
index dfae45b0f085bf38b293011855e304c7f8d9e593..de219ae72fc896c7994e7038244ca1b20b2904dc 100644 (file)
--- a/src/ic/arm/ic-arm.cc
+++ b/src/ic/arm/ic-arm.cc
@@ -300,7 +300,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
 

diff --git a/src/ic/arm64/ic-arm64.cc b/src/ic/arm64/ic-arm64.cc
index b60626963a1c66c85561c87eff4007a3e7453fa9..c4c856aab7ef96fc5faffef1b1236d72cee4e543 100644 (file)
--- a/src/ic/arm64/ic-arm64.cc
+++ b/src/ic/arm64/ic-arm64.cc
@@ -280,7 +280,7 @@ void LoadIC::GenerateNormal(MacroAssembler* masm, LanguageMode language_mode) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
   ASM_LOCATION("LoadIC::GenerateMiss");

diff --git a/src/ic/ia32/ic-ia32.cc b/src/ic/ia32/ic-ia32.cc
index fc40766e05d34702d963bdbfe76807569503cd38..7a6a41541ccac5c20afcd5248fecbb3c0960119b 100644 (file)
--- a/src/ic/ia32/ic-ia32.cc
+++ b/src/ic/ia32/ic-ia32.cc
@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
   // Return address is on the stack.
   __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
   LoadIC_PushArgs(masm);

diff --git a/src/ic/ic.cc b/src/ic/ic.cc
index 99a79d93688091799a237bff03cf9cd214542be2..23944028a6466cb172aaf41c85903ff8cb553f57 100644 (file)
--- a/src/ic/ic.cc
+++ b/src/ic/ic.cc
@@ -2377,17 +2377,6 @@ RUNTIME_FUNCTION(Runtime_LoadIC_Miss) {
     LoadIC ic(IC::NO_EXTRA_FRAME, isolate, &nexus);
     ic.UpdateState(receiver, key);
     ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key));
-
-    // Sanity check: The loaded value must be a JS-exposed kind of object,
-    // not something internal (like a Map, or FixedArray). Check this here
-    // to chase after a rare but recurring crash bug.
-    // TODO(chromium:527994): Remove this when we have a few crash reports.
-    if (!result->IsSmi()) {
-      InstanceType type =
-          Handle<HeapObject>::cast(result)->map()->instance_type();
-      CHECK(type <= LAST_PRIMITIVE_TYPE || type >= FIRST_JS_RECEIVER_TYPE);
-    }
-
   } else {
     DCHECK(vector->GetKind(vector_slot) == Code::KEYED_LOAD_IC);
     KeyedLoadICNexus nexus(vector, vector_slot);
@@ -3126,17 +3115,6 @@ RUNTIME_FUNCTION(Runtime_LoadIC_MissFromStubFailure) {
     LoadIC ic(IC::EXTRA_CALL_FRAME, isolate, &nexus);
     ic.UpdateState(receiver, key);
     ASSIGN_RETURN_FAILURE_ON_EXCEPTION(isolate, result, ic.Load(receiver, key));
-
-    // Sanity check: The loaded value must be a JS-exposed kind of object,
-    // not something internal (like a Map, or FixedArray). Check this here
-    // to chase after a rare but recurring crash bug.
-    // TODO(chromium:527994): Remove this when we have a few crash reports.
-    if (!result->IsSmi()) {
-      InstanceType type =
-          Handle<HeapObject>::cast(result)->map()->instance_type();
-      CHECK(type <= LAST_PRIMITIVE_TYPE || type >= FIRST_JS_RECEIVER_TYPE);
-    }
-
   } else {
     DCHECK(vector->GetKind(vector_slot) == Code::KEYED_LOAD_IC);
     KeyedLoadICNexus nexus(vector, vector_slot);

diff --git a/src/ic/ic.h b/src/ic/ic.h
index 64dd7babdba96bdf9241fd87ad0b8b444a742551..d65d7a8c1ba453b0c9407572438dfd5da124e26e 100644 (file)
--- a/src/ic/ic.h
+++ b/src/ic/ic.h
@@ -324,16 +324,8 @@ class LoadIC : public IC {
 
   // Code generator routines.
 
-  // TODO(jkummerow): Remove the stress parameter and these stress constants
-  // when a crash bug is fixed.
-  static const int kStressNone = 0;
-  static const int kStressInit = 1;
-  static const int kStressDispatcher = 2;
-  static const int kStressBuiltin = 3;
-  static void GenerateInitialize(MacroAssembler* masm) {
-    GenerateMiss(masm, kStressInit);
-  }
-  static void GenerateMiss(MacroAssembler* masm, int stress = kStressNone);
+  static void GenerateInitialize(MacroAssembler* masm) { GenerateMiss(masm); }
+  static void GenerateMiss(MacroAssembler* masm);
   static void GenerateRuntimeGetProperty(MacroAssembler* masm,
                                          LanguageMode language_mode);
   static void GenerateNormal(MacroAssembler* masm, LanguageMode language_mode);

diff --git a/src/ic/mips/ic-mips.cc b/src/ic/mips/ic-mips.cc
index 2d46e51d0a6f658db434d2fce57e46db0b053015..a1a118135bd336970c449b4c644997148b48050f 100644 (file)
--- a/src/ic/mips/ic-mips.cc
+++ b/src/ic/mips/ic-mips.cc
@@ -306,7 +306,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
   // The return address is in ra.
   Isolate* isolate = masm->isolate();
 

diff --git a/src/ic/mips64/ic-mips64.cc b/src/ic/mips64/ic-mips64.cc
index 4ba31235bb0308875b1f4394969a06232006d536..cacc95c3d9270e7eeed434b5fa297551a1ac97c4 100644 (file)
--- a/src/ic/mips64/ic-mips64.cc
+++ b/src/ic/mips64/ic-mips64.cc
@@ -303,7 +303,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
   // The return address is on the stack.
   Isolate* isolate = masm->isolate();
 

diff --git a/src/ic/ppc/ic-ppc.cc b/src/ic/ppc/ic-ppc.cc
index 2079f5b34a1ba8a8baea8a34a068360e4b53796f..09117179ea2a3617d81ac8c069f2d2097f39654a 100644 (file)
--- a/src/ic/ppc/ic-ppc.cc
+++ b/src/ic/ppc/ic-ppc.cc
@@ -310,7 +310,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
 

diff --git a/src/ic/x64/ic-x64.cc b/src/ic/x64/ic-x64.cc
index ab400e2c8ac6c79c35d932b1488e28eb6747f945..ff74a965e43aaf67314a06419580ba35adc02afb 100644 (file)
--- a/src/ic/x64/ic-x64.cc
+++ b/src/ic/x64/ic-x64.cc
@@ -667,7 +667,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
   // The return address is on the stack.
 
   Counters* counters = masm->isolate()->counters();
@@ -675,36 +675,6 @@ void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
 
   LoadIC_PushArgs(masm);
 
-  Register receiver = LoadDescriptor::ReceiverRegister();
-
-  // Sanity check: The receiver must be a JS-exposed kind of object,
-  // not something internal (like a Map, or FixedArray). Check this here
-  // to chase after a rare but recurring crash bug.
-  // TODO(chromium:527994): Remove this when we have a few crash reports.
-
-  Label ok, sound_alarm;
-  __ JumpIfSmi(receiver, &ok, Label::kNear);
-  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
-  __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
-  __ j(equal, &sound_alarm);
-  __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
-  __ j(not_equal, &ok, Label::kNear);
-
-  // This cmpp instruction is only here to identify which of several kinds
-  // of code blocks embedded the MISS code. (handler, dispatcher).
-  __ cmpp(receiver, Immediate(stress));
-
-  __ bind(&sound_alarm);
-  __ Push(Smi::FromInt(0xaabbccdd));
-  __ Push(receiver);
-  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
-  __ Push(rbx);
-  __ movp(rbx, FieldOperand(receiver, JSObject::kPropertiesOffset));
-  __ Push(rbx);
-  __ int3();
-
-  __ bind(&ok);
-
   // Perform tail call to the entry.
   int arg_count = 4;
   __ TailCallRuntime(Runtime::kLoadIC_Miss, arg_count, 1);

diff --git a/src/ic/x87/ic-x87.cc b/src/ic/x87/ic-x87.cc
index 6e56c229d523a89ffa740610b822d557be0f300e..53e7a5ca0c7eaf05212bb006eef78c3cf99b7e1d 100644 (file)
--- a/src/ic/x87/ic-x87.cc
+++ b/src/ic/x87/ic-x87.cc
@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
+void LoadIC::GenerateMiss(MacroAssembler* masm) {
   // Return address is on the stack.
   __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
   LoadIC_PushArgs(masm);

diff --git a/src/x64/code-stubs-x64.cc b/src/x64/code-stubs-x64.cc
index c24a6a08ec03d1d75444ce805f01d16d34d766f7..60042f0fa00caad9ef5e3e7ad4644a3a8a3d5045 100644 (file)
--- a/src/x64/code-stubs-x64.cc
+++ b/src/x64/code-stubs-x64.cc
@@ -4355,7 +4355,7 @@ void LoadICStub::GenerateImpl(MacroAssembler* masm, bool in_frame) {
       masm, Code::LOAD_IC, code_flags, receiver, name, feedback, no_reg);
 
   __ bind(&miss);
-  LoadIC::GenerateMiss(masm, LoadIC::kStressDispatcher);
+  LoadIC::GenerateMiss(masm);
 
   __ bind(&load_smi_map);
   __ LoadRoot(receiver_map, Heap::kHeapNumberMapRootIndex);