From f8dcbf4695f4e729513c447dbc0703c1704c3213 Mon Sep 17 00:00:00 2001 From: jarin Date: Mon, 3 Aug 2015 03:43:24 -0700 Subject: [PATCH] [deoptimizer] Do not pass arguments markers to the debugger. This fixes a bug introduced by r28826 (Unify decoding of deoptimization translations, https://codereview.chromium.org/1136223004), where we started leaking arguments marker sentinel to the debugger, which would then cause crashes. This change replaces the sentinel with the undefined value in the debugger-inspectable frame. BUG=chromium:514362 LOG=n R=yangguo@chromium.org Review URL: https://codereview.chromium.org/1263333002 Cr-Commit-Position: refs/heads/master@{#29971} --- src/deoptimizer.cc | 14 +++++++++++-- test/mjsunit/debug-materialized.js | 41 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 53 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/debug-materialized.js diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc index 599962a..d29cb60 100644 --- a/src/deoptimizer.cc +++ b/src/deoptimizer.cc @@ -2266,7 +2266,12 @@ DeoptimizedFrameInfo::DeoptimizedFrameInfo(Deoptimizer* deoptimizer, source_position_ = code->SourcePosition(pc); for (int i = 0; i < expression_count_; i++) { - SetExpression(i, output_frame->GetExpression(i)); + Object* value = output_frame->GetExpression(i); + // Replace materialization markers with the undefined value. + if (value == deoptimizer->isolate()->heap()->arguments_marker()) { + value = deoptimizer->isolate()->heap()->undefined_value(); + } + SetExpression(i, value); } if (has_arguments_adaptor) { @@ -2277,7 +2282,12 @@ DeoptimizedFrameInfo::DeoptimizedFrameInfo(Deoptimizer* deoptimizer, parameters_count_ = output_frame->ComputeParametersCount(); parameters_ = new Object* [parameters_count_]; for (int i = 0; i < parameters_count_; i++) { - SetParameter(i, output_frame->GetParameter(i)); + Object* value = output_frame->GetParameter(i); + // Replace materialization markers with the undefined value. + if (value == deoptimizer->isolate()->heap()->arguments_marker()) { + value = deoptimizer->isolate()->heap()->undefined_value(); + } + SetParameter(i, value); } } diff --git a/test/mjsunit/debug-materialized.js b/test/mjsunit/debug-materialized.js new file mode 100644 index 0000000..0b01b78 --- /dev/null +++ b/test/mjsunit/debug-materialized.js @@ -0,0 +1,41 @@ +// Copyright 2015 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --expose-debug-as debug + +function dbg(x) { + debugger; +} + +function foo() { + arguments[0]; + dbg(); +} + +function bar() { + var t = { a : 1 }; + dbg(); + return t.a; +} + +foo(1); +foo(1); +bar(1); +bar(1); +%OptimizeFunctionOnNextCall(foo); +%OptimizeFunctionOnNextCall(bar); + +var Debug = debug.Debug; +Debug.setListener(function(event, exec_state, event_data, data) { + if (event != Debug.DebugEvent.Break) return; + for (var i = 0; i < exec_state.frameCount(); i++) { + var f = exec_state.frame(i); + for (var j = 0; j < f.localCount(); j++) { + print("'" + f.localName(j) + "' = " + f.localValue(j).value()); + } + } +}); + +foo(1); +bar(1); -- 2.7.4