Fix terrible interaction with code flushing.

This fixes a terrible interaction of code flushing and the clearing of
optimized code maps hanging off a SharedFunctionInfo. The following is
what happened:
1) Incremental marking cleared map in SharedFunctionInfo s, however it
   was not enqueued as a flushing candidate because one JSFunction f1
   still had optimized code.
2) Deoptimization of f1 made s eligible for code flushing.
3) Optimization of f2 added new entry to optimized code map of s.
4) The JSFunction f2 became unreachable and hence is never marked.
5) Incremental marking now visits f1, finds it eligible for flushing,
   also s is eligible for flushing, both are enqueued.
6) Marking finishes, code flusher clears f1 and s, but the optimized
   code map of s still contains an entry.
7) Boom!

R=ulan@chromium.org,hpayer@chromium.org
TEST=mjsunit/es6/generators-iteration
BUG=v8:3803
LOG=N

Review URL: https://codereview.chromium.org/1197713004

Cr-Commit-Position: refs/heads/master@{#29177}

diff --git a/src/compiler.cc b/src/compiler.cc
index 7441f19e5a0467720ba2ff1141443e900979749a..22a1efbde5330c7fdfd2118d0b0babb996677b06 100644 (file)
--- a/src/compiler.cc
+++ b/src/compiler.cc
@@ -705,7 +705,10 @@ MUST_USE_RESULT static MaybeHandle<Code> GetCodeFromOptimizedCodeMap(
       }
       FixedArray* literals = shared->GetLiteralsFromOptimizedCodeMap(index);
       if (literals != NULL) function->set_literals(literals);
-      return Handle<Code>(shared->GetCodeFromOptimizedCodeMap(index));
+      Code* code = shared->GetCodeFromOptimizedCodeMap(index);
+      DCHECK(!code->marked_for_deoptimization());
+      DCHECK(function->shared()->is_compiled());
+      return Handle<Code>(code);
     }
   }
   return MaybeHandle<Code>();

diff --git a/src/factory.cc b/src/factory.cc
index 4cb2addc34c055ea1e4e8489204197053a5c3f58..387c5d1b2935344aa536853692ae389c0c18a265 100644 (file)
--- a/src/factory.cc
+++ b/src/factory.cc
@@ -1392,6 +1392,7 @@ Handle<JSFunction> Factory::NewFunctionFromSharedFunctionInfo(
     if (literals != NULL) result->set_literals(literals);
     Code* code = info->GetCodeFromOptimizedCodeMap(index);
     DCHECK(!code->marked_for_deoptimization());
+    DCHECK(result->shared()->is_compiled());
     result->ReplaceCode(code);
   }
 

diff --git a/src/heap/mark-compact.cc b/src/heap/mark-compact.cc
index 90fc13616c65f750b974ce58ff821742603486f8..2c98b7adc4e47a01103168d819a1117dc99c0ccb 100644 (file)
--- a/src/heap/mark-compact.cc
+++ b/src/heap/mark-compact.cc
@@ -898,6 +898,11 @@ void CodeFlusher::ProcessJSFunctionCandidates() {
         shared->ShortPrint();
         PrintF(" - age: %d]\n", code->GetAge());
       }
+      // Always flush the optimized code map if requested by flag.
+      if (FLAG_cache_optimized_code && FLAG_flush_optimized_code_cache &&
+          !shared->optimized_code_map()->IsSmi()) {
+        shared->ClearOptimizedCodeMap();
+      }
       shared->set_code(lazy_compile);
       candidate->set_code(lazy_compile);
     } else {
@@ -941,6 +946,11 @@ void CodeFlusher::ProcessSharedFunctionInfoCandidates() {
         candidate->ShortPrint();
         PrintF(" - age: %d]\n", code->GetAge());
       }
+      // Always flush the optimized code map if requested by flag.
+      if (FLAG_cache_optimized_code && FLAG_flush_optimized_code_cache &&
+          !candidate->optimized_code_map()->IsSmi()) {
+        candidate->ClearOptimizedCodeMap();
+      }
       candidate->set_code(lazy_compile);
     }
 

diff --git a/test/mjsunit/mjsunit.status b/test/mjsunit/mjsunit.status
index 53be0b080479ec7dd5ce6e84b0969c3b14398c32..07197f59b293c929f2edb177d3b0ccd68c7343a0 100644 (file)
--- a/test/mjsunit/mjsunit.status
+++ b/test/mjsunit/mjsunit.status
@@ -295,9 +295,6 @@
   'regress/regress-3717': [SKIP],
   # Issue 478788.
   'es7/object-observe': [SKIP],
-
-  # Issue 3803.
-  'es6/generators-iteration': [PASS, FLAKY],
 }],  # 'gc_stress == True'
 
 ##############################################################################