github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

chore: cherry-pick fix from chromium issue 1084820 (#24566)

Browse Source
This commit is contained in:
Cheng Zhao
2020-07-16 08:31:30 +09:00
committed by GitHub
parent 2c08cc711f
commit fbf024dba4
2 changed files with 771 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
patches/v8/.patches
View File

@@ -7,3 +7,4 @@ workaround_an_undefined_symbol_error.patch
do_not_export_private_v8_symbols_on_windows.patch
revert_cleanup_switch_offset_of_to_offsetof_where_possible.patch
fix_build_deprecated_attirbute_for_older_msvc_versions.patch
backport_1084820.patch

770
patches/v8/backport_1084820.patch Normal file
View File

@@ -0,0 +1,770 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Cheng Zhao <zcbenz@gmail.com>
Date: Thu, 4 Oct 2018 14:57:02 -0700
Subject: fix: object materialization
[1084820] [High] [CVE-2020-6512]: DCHECK failure in value.IsHeapObject() in objects-debug.cc
Backport https://chromium.googlesource.com/v8/v8.git/+/c16f62d6e943756d8b4170a36f61e666ced82e6d
diff --git a/src/deoptimizer/deoptimizer.cc b/src/deoptimizer/deoptimizer.cc
index 9fcccd483c6a10a42a217c61d7ef60f50b3e4f07..44c92f557046dbb4268b218d0753367356ee9cd3 100644
--- a/src/deoptimizer/deoptimizer.cc
+++ b/src/deoptimizer/deoptimizer.cc
@@ -48,7 +48,6 @@ class FrameWriter {
void PushRawValue(intptr_t value, const char* debug_hint) {
PushValue(value);
-
if (trace_scope_ != nullptr) {
DebugPrintOutputValue(value, debug_hint);
}
@@ -83,13 +82,10 @@ class FrameWriter {
void PushTranslatedValue(const TranslatedFrame::iterator& iterator,
const char* debug_hint = "") {
Object obj = iterator->GetRawValue();
-
PushRawObject(obj, debug_hint);
-
if (trace_scope_) {
PrintF(trace_scope_->file(), " (input #%d)\n", iterator.input_index());
}
-
deoptimizer_->QueueValueForMaterialization(output_address(top_offset_), obj,
iterator);
}
@@ -2428,6 +2424,11 @@ int TranslatedValue::object_index() const {
Object TranslatedValue::GetRawValue() const {
// If we have a value, return it.
if (materialization_state() == kFinished) {
+ int smi;
+ if (storage_->IsHeapNumber() &&
+ DoubleToSmiInteger(storage_->Number(), &smi)) {
+ return Smi::FromInt(smi);
+ }
return *storage_;
}
@@ -2470,6 +2471,22 @@ Object TranslatedValue::GetRawValue() const {
}
}
+ case kFloat: {
+ int smi;
+ if (DoubleToSmiInteger(float_value().get_scalar(), &smi)) {
+ return Smi::FromInt(smi);
+ }
+ break;
+ }
+
+ case kDouble: {
+ int smi;
+ if (DoubleToSmiInteger(double_value().get_scalar(), &smi)) {
+ return Smi::FromInt(smi);
+ }
+ break;
+ }
+
default:
break;
}
@@ -2479,106 +2496,76 @@ Object TranslatedValue::GetRawValue() const {
return ReadOnlyRoots(isolate()).arguments_marker();
}
-void TranslatedValue::set_initialized_storage(Handle<Object> storage) {
+void TranslatedValue::set_initialized_storage(Handle<HeapObject> storage) {
DCHECK_EQ(kUninitialized, materialization_state());
storage_ = storage;
materialization_state_ = kFinished;
}
Handle<Object> TranslatedValue::GetValue() {
- // If we already have a value, then get it.
- if (materialization_state() == kFinished) return storage_;
-
- // Otherwise we have to materialize.
- switch (kind()) {
- case TranslatedValue::kTagged:
- case TranslatedValue::kInt32:
- case TranslatedValue::kInt64:
- case TranslatedValue::kUInt32:
- case TranslatedValue::kBoolBit:
- case TranslatedValue::kFloat:
- case TranslatedValue::kDouble: {
- MaterializeSimple();
- return storage_;
- }
-
- case TranslatedValue::kCapturedObject:
- case TranslatedValue::kDuplicatedObject: {
- // We need to materialize the object (or possibly even object graphs).
- // To make the object verifier happy, we materialize in two steps.
-
- // 1. Allocate storage for reachable objects. This makes sure that for
- // each object we have allocated space on heap. The space will be
- // a byte array that will be later initialized, or a fully
- // initialized object if it is safe to allocate one that will
- // pass the verifier.
- container_->EnsureObjectAllocatedAt(this);
-
- // 2. Initialize the objects. If we have allocated only byte arrays
- // for some objects, we now overwrite the byte arrays with the
- // correct object fields. Note that this phase does not allocate
- // any new objects, so it does not trigger the object verifier.
- return container_->InitializeObjectAt(this);
- }
-
- case TranslatedValue::kInvalid:
- FATAL("unexpected case");
- return Handle<Object>::null();
+ Handle<Object> value(GetRawValue(), isolate());
+ if (materialization_state() == kFinished) return value;
+
+ if (value->IsSmi()) {
+ // Even though stored as a Smi, this number might instead be needed as a
+ // HeapNumber when materializing a JSObject with a field of HeapObject
+ // representation. Since we don't have this information available here, we
+ // just always allocate a HeapNumber and later extract the Smi again if we
+ // don't need a HeapObject.
+ set_initialized_storage(
+ isolate()->factory()->NewHeapNumber(value->Number()));
+ return value;
}
- FATAL("internal error: value missing");
- return Handle<Object>::null();
-}
-
-void TranslatedValue::MaterializeSimple() {
- // If we already have materialized, return.
- if (materialization_state() == kFinished) return;
-
- Object raw_value = GetRawValue();
- if (raw_value != ReadOnlyRoots(isolate()).arguments_marker()) {
- // We can get the value without allocation, just return it here.
- set_initialized_storage(Handle<Object>(raw_value, isolate()));
- return;
+ if (*value != ReadOnlyRoots(isolate()).arguments_marker()) {
+ set_initialized_storage(Handle<HeapObject>::cast(value));
+ return storage_;
}
- switch (kind()) {
- case kInt32:
- set_initialized_storage(
- Handle<Object>(isolate()->factory()->NewNumber(int32_value())));
- return;
+ // Otherwise we have to materialize.
- case kInt64:
- set_initialized_storage(Handle<Object>(
- isolate()->factory()->NewNumber(static_cast<double>(int64_value()))));
- return;
+ if (kind() == TranslatedValue::kCapturedObject ||
+ kind() == TranslatedValue::kDuplicatedObject) {
+ // We need to materialize the object (or possibly even object graphs).
+ // To make the object verifier happy, we materialize in two steps.
- case kUInt32:
- set_initialized_storage(
- Handle<Object>(isolate()->factory()->NewNumber(uint32_value())));
- return;
+ // 1. Allocate storage for reachable objects. This makes sure that for
+ // each object we have allocated space on heap. The space will be
+ // a byte array that will be later initialized, or a fully
+ // initialized object if it is safe to allocate one that will
+ // pass the verifier.
+ container_->EnsureObjectAllocatedAt(this);
- case kFloat: {
- double scalar_value = float_value().get_scalar();
- set_initialized_storage(
- Handle<Object>(isolate()->factory()->NewNumber(scalar_value)));
- return;
- }
-
- case kDouble: {
- double scalar_value = double_value().get_scalar();
- set_initialized_storage(
- Handle<Object>(isolate()->factory()->NewNumber(scalar_value)));
- return;
- }
+ // 2. Initialize the objects. If we have allocated only byte arrays
+ // for some objects, we now overwrite the byte arrays with the
+ // correct object fields. Note that this phase does not allocate
+ // any new objects, so it does not trigger the object verifier.
+ return container_->InitializeObjectAt(this);
+ }
- case kCapturedObject:
- case kDuplicatedObject:
- case kInvalid:
- case kTagged:
- case kBoolBit:
- FATAL("internal error: unexpected materialization.");
+ double number;
+ switch (kind()) {
+ case TranslatedValue::kInt32:
+ number = int32_value();
+ break;
+ case TranslatedValue::kInt64:
+ number = int64_value();
+ break;
+ case TranslatedValue::kUInt32:
+ number = uint32_value();
+ break;
+ case TranslatedValue::kFloat:
+ number = float_value().get_scalar();
break;
+ case TranslatedValue::kDouble:
+ number = double_value().get_scalar();
+ break;
+ default:
+ UNREACHABLE();
}
+ DCHECK(!IsSmiDouble(number));
+ set_initialized_storage(isolate()->factory()->NewHeapNumber(number));
+ return storage_;
}
bool TranslatedValue::IsMaterializedObject() const {
@@ -2634,8 +2621,9 @@ Float64 TranslatedState::GetDoubleSlot(Address fp, int slot_offset) {
}
void TranslatedValue::Handlify() {
- if (kind() == kTagged) {
- set_initialized_storage(Handle<Object>(raw_literal(), isolate()));
+ if (kind() == kTagged && raw_literal().IsHeapObject()) {
+ set_initialized_storage(
+ Handle<HeapObject>(HeapObject::cast(raw_literal()), isolate()));
raw_literal_ = Object();
}
}
@@ -3386,7 +3374,7 @@ TranslatedValue* TranslatedState::GetValueByObjectIndex(int object_index) {
return &(frames_[pos.frame_index_].values_[pos.value_index_]);
}
-Handle<Object> TranslatedState::InitializeObjectAt(TranslatedValue* slot) {
+Handle<HeapObject> TranslatedState::InitializeObjectAt(TranslatedValue* slot) {
slot = ResolveCapturedObject(slot);
DisallowHeapAllocation no_allocation;
@@ -3401,7 +3389,7 @@ Handle<Object> TranslatedState::InitializeObjectAt(TranslatedValue* slot) {
InitializeCapturedObjectAt(index, &worklist, no_allocation);
}
}
- return slot->GetStorage();
+ return slot->storage();
}
void TranslatedState::InitializeCapturedObjectAt(
@@ -3501,11 +3489,17 @@ void TranslatedState::EnsureObjectAllocatedAt(TranslatedValue* slot) {
}
}
+int TranslatedValue::GetSmiValue() const {
+ Object value = GetRawValue();
+ CHECK(value.IsSmi());
+ return Smi::cast(value).value();
+}
+
void TranslatedState::MaterializeFixedDoubleArray(TranslatedFrame* frame,
int* value_index,
TranslatedValue* slot,
Handle<Map> map) {
- int length = Smi::cast(frame->values_[*value_index].GetRawValue()).value();
+ int length = frame->values_[*value_index].GetSmiValue();
(*value_index)++;
Handle<FixedDoubleArray> array = Handle<FixedDoubleArray>::cast(
isolate()->factory()->NewFixedDoubleArray(length));
@@ -3539,10 +3533,10 @@ void TranslatedState::MaterializeHeapNumber(TranslatedFrame* frame,
namespace {
-enum DoubleStorageKind : uint8_t {
+enum StorageKind : uint8_t {
kStoreTagged,
kStoreUnboxedDouble,
- kStoreMutableHeapNumber,
+ kStoreHeapObject
};
} // namespace
@@ -3614,9 +3608,7 @@ void TranslatedState::EnsureCapturedObjectAllocatedAt(
case SIMPLE_NUMBER_DICTIONARY_TYPE:
case STRING_TABLE_TYPE: {
// Check we have the right size.
- int array_length =
- Smi::cast(frame->values_[value_index].GetRawValue()).value();
-
+ int array_length = frame->values_[value_index].GetSmiValue();
int instance_size = FixedArray::SizeFor(array_length);
CHECK_EQ(instance_size, slot->GetChildrenCount() * kTaggedSize);
@@ -3635,13 +3627,13 @@ void TranslatedState::EnsureCapturedObjectAllocatedAt(
case PROPERTY_ARRAY_TYPE: {
// Check we have the right size.
- int length_or_hash =
- Smi::cast(frame->values_[value_index].GetRawValue()).value();
+ int length_or_hash = frame->values_[value_index].GetSmiValue();
int array_length = PropertyArray::LengthField::decode(length_or_hash);
int instance_size = PropertyArray::SizeFor(array_length);
CHECK_EQ(instance_size, slot->GetChildrenCount() * kTaggedSize);
slot->set_storage(AllocateStorageFor(slot));
+
// Make sure all the remaining children (after the map) are allocated.
return EnsureChildrenAllocated(slot->GetChildrenCount() - 1, frame,
&value_index, worklist);
@@ -3686,7 +3678,7 @@ void TranslatedState::EnsureChildrenAllocated(int count, TranslatedFrame* frame,
} else {
// Make sure the simple values (heap numbers, etc.) are properly
// initialized.
- child_slot->MaterializeSimple();
+ child_slot->GetValue();
}
SkipSlots(1, frame, value_index);
}
@@ -3701,16 +3693,17 @@ void TranslatedState::EnsurePropertiesAllocatedAndMarked(
properties_slot->mark_allocated();
properties_slot->set_storage(object_storage);
- // Set markers for the double properties.
+ // Set markers for out-of-object properties.
Handle<DescriptorArray> descriptors(map->instance_descriptors(), isolate());
for (InternalIndex i : map->IterateOwnDescriptors()) {
FieldIndex index = FieldIndex::ForDescriptor(*map, i);
- if (descriptors->GetDetails(i).representation().IsDouble() &&
- !index.is_inobject()) {
+ Representation representation = descriptors->GetDetails(i).representation();
+ if (!index.is_inobject() &&
+ (representation.IsDouble() || representation.IsHeapObject())) {
CHECK(!map->IsUnboxedDoubleField(index));
int outobject_index = index.outobject_array_index();
int array_index = outobject_index * kTaggedSize;
- object_storage->set(array_index, kStoreMutableHeapNumber);
+ object_storage->set(array_index, kStoreHeapObject);
}
}
}
@@ -3736,31 +3729,44 @@ void TranslatedState::EnsureJSObjectAllocated(TranslatedValue* slot,
// Now we handle the interesting (JSObject) case.
Handle<DescriptorArray> descriptors(map->instance_descriptors(), isolate());
- // Set markers for the double properties.
+ // Set markers for in-object properties.
for (InternalIndex i : map->IterateOwnDescriptors()) {
FieldIndex index = FieldIndex::ForDescriptor(*map, i);
- if (descriptors->GetDetails(i).representation().IsDouble() &&
- index.is_inobject()) {
+ Representation representation = descriptors->GetDetails(i).representation();
+ if (index.is_inobject() &&
+ (representation.IsDouble() || representation.IsHeapObject())) {
CHECK_GE(index.index(), FixedArray::kHeaderSize / kTaggedSize);
int array_index = index.index() * kTaggedSize - FixedArray::kHeaderSize;
- uint8_t marker = map->IsUnboxedDoubleField(index)
- ? kStoreUnboxedDouble
- : kStoreMutableHeapNumber;
+ uint8_t marker = map->IsUnboxedDoubleField(index) ? kStoreUnboxedDouble
+ : kStoreHeapObject;
object_storage->set(array_index, marker);
}
}
slot->set_storage(object_storage);
}
-Handle<Object> TranslatedState::GetValueAndAdvance(TranslatedFrame* frame,
- int* value_index) {
- TranslatedValue* slot = frame->ValueAt(*value_index);
- SkipSlots(1, frame, value_index);
+TranslatedValue* TranslatedState::GetResolvedSlot(TranslatedFrame* frame,
+ int value_index) {
+ TranslatedValue* slot = frame->ValueAt(value_index);
if (slot->kind() == TranslatedValue::kDuplicatedObject) {
slot = ResolveCapturedObject(slot);
}
- CHECK_NE(TranslatedValue::kUninitialized, slot->materialization_state());
- return slot->GetStorage();
+ CHECK_NE(slot->materialization_state(), TranslatedValue::kUninitialized);
+ return slot;
+}
+
+TranslatedValue* TranslatedState::GetResolvedSlotAndAdvance(
+ TranslatedFrame* frame, int* value_index) {
+ TranslatedValue* slot = GetResolvedSlot(frame, *value_index);
+ SkipSlots(1, frame, value_index);
+ return slot;
+}
+
+Handle<Object> TranslatedState::GetValueAndAdvance(TranslatedFrame* frame,
+ int* value_index) {
+ TranslatedValue* slot = GetResolvedSlot(frame, *value_index);
+ SkipSlots(1, frame, value_index);
+ return slot->GetValue();
}
void TranslatedState::InitializeJSObjectAt(
@@ -3788,29 +3794,25 @@ void TranslatedState::InitializeJSObjectAt(
// marker to see if we store an unboxed double.
DCHECK_EQ(kTaggedSize, JSObject::kPropertiesOrHashOffset);
for (int i = 2; i < slot->GetChildrenCount(); i++) {
- // Initialize and extract the value from its slot.
- Handle<Object> field_value = GetValueAndAdvance(frame, value_index);
-
+ TranslatedValue* slot = GetResolvedSlotAndAdvance(frame, value_index);
// Read out the marker and ensure the field is consistent with
// what the markers in the storage say (note that all heap numbers
// should be fully initialized by now).
int offset = i * kTaggedSize;
uint8_t marker = object_storage->ReadField<uint8_t>(offset);
if (marker == kStoreUnboxedDouble) {
- double double_field_value;
- if (field_value->IsSmi()) {
- double_field_value = Smi::cast(*field_value).value();
- } else {
- CHECK(field_value->IsHeapNumber());
- double_field_value = HeapNumber::cast(*field_value).value();
- }
- object_storage->WriteField<double>(offset, double_field_value);
- } else if (marker == kStoreMutableHeapNumber) {
+ Handle<HeapObject> field_value = slot->storage();
CHECK(field_value->IsHeapNumber());
+ object_storage->WriteField<double>(offset, field_value->Number());
+ } else if (marker == kStoreHeapObject) {
+ Handle<HeapObject> field_value = slot->storage();
WRITE_FIELD(*object_storage, offset, *field_value);
WRITE_BARRIER(*object_storage, offset, *field_value);
} else {
CHECK_EQ(kStoreTagged, marker);
+ Handle<Object> field_value = slot->GetValue();
+ DCHECK_IMPLIES(field_value->IsHeapNumber(),
+ !IsSmiDouble(field_value->Number()));
WRITE_FIELD(*object_storage, offset, *field_value);
WRITE_BARRIER(*object_storage, offset, *field_value);
}
@@ -3836,15 +3838,18 @@ void TranslatedState::InitializeObjectWithTaggedFieldsAt(
// Write the fields to the object.
for (int i = 1; i < slot->GetChildrenCount(); i++) {
- Handle<Object> field_value = GetValueAndAdvance(frame, value_index);
+ TranslatedValue* slot = GetResolvedSlotAndAdvance(frame, value_index);
int offset = i * kTaggedSize;
uint8_t marker = object_storage->ReadField<uint8_t>(offset);
- if (i > 1 && marker == kStoreMutableHeapNumber) {
- CHECK(field_value->IsHeapNumber());
+ Handle<Object> field_value;
+ if (i > 1 && marker == kStoreHeapObject) {
+ field_value = slot->storage();
} else {
CHECK(marker == kStoreTagged || i == 1);
+ field_value = slot->GetValue();
+ DCHECK_IMPLIES(field_value->IsHeapNumber(),
+ !IsSmiDouble(field_value->Number()));
}
-
WRITE_FIELD(*object_storage, offset, *field_value);
WRITE_BARRIER(*object_storage, offset, *field_value);
}
@@ -3911,10 +3916,7 @@ TranslatedFrame* TranslatedState::GetArgumentsInfoFromJSFrameIndex(
// argument (the receiver).
static constexpr int kTheContext = 1;
const int height = frames_[i].height() + kTheContext;
- Object argc_object = frames_[i].ValueAt(height - 1)->GetRawValue();
- CHECK(argc_object.IsSmi());
- *args_count = Smi::ToInt(argc_object);
-
+ *args_count = frames_[i].ValueAt(height - 1)->GetSmiValue();
DCHECK_EQ(*args_count, 1);
} else {
*args_count = InternalFormalParameterCountWithReceiver(
@@ -3956,21 +3958,30 @@ void TranslatedState::StoreMaterializedValuesAndDeopt(JavaScriptFrame* frame) {
CHECK(value_info->IsMaterializedObject());
- // Skip duplicate objects (i.e., those that point to some
- // other object id).
+ // Skip duplicate objects (i.e., those that point to some other object id).
if (value_info->object_index() != i) continue;
+ Handle<Object> previous_value(previously_materialized_objects->get(i),
+ isolate_);
Handle<Object> value(value_info->GetRawValue(), isolate_);
- if (!value.is_identical_to(marker)) {
- if (previously_materialized_objects->get(i) == *marker) {
+ if (value.is_identical_to(marker)) {
+ DCHECK_EQ(*previous_value, *marker);
+ } else {
+ if (*previous_value == *marker) {
+ if (value->IsSmi()) {
+ value = isolate()->factory()->NewHeapNumber(value->Number());
+ }
previously_materialized_objects->set(i, *value);
value_changed = true;
} else {
- CHECK(previously_materialized_objects->get(i) == *value);
+ CHECK(*previous_value == *value ||
+ (previous_value->IsHeapNumber() && value->IsSmi() &&
+ previous_value->Number() == value->Number()));
}
}
}
+
if (new_store && value_changed) {
materialized_store->Set(stack_frame_pointer_,
previously_materialized_objects);
@@ -4004,8 +4015,10 @@ void TranslatedState::UpdateFromPreviouslyMaterializedObjects() {
CHECK(value_info->IsMaterializedObject());
if (value_info->kind() == TranslatedValue::kCapturedObject) {
- value_info->set_initialized_storage(
- Handle<Object>(previously_materialized_objects->get(i), isolate_));
+ Handle<Object> object(previously_materialized_objects->get(i),
+ isolate_);
+ CHECK(object->IsHeapObject());
+ value_info->set_initialized_storage(Handle<HeapObject>::cast(object));
}
}
}
@@ -4019,7 +4032,7 @@ void TranslatedState::VerifyMaterializedObjects() {
if (slot->kind() == TranslatedValue::kCapturedObject) {
CHECK_EQ(slot, GetValueByObjectIndex(slot->object_index()));
if (slot->materialization_state() == TranslatedValue::kFinished) {
- slot->GetStorage()->ObjectVerify(isolate());
+ slot->storage()->ObjectVerify(isolate());
} else {
CHECK_EQ(slot->materialization_state(),
TranslatedValue::kUninitialized);
diff --git a/src/deoptimizer/deoptimizer.h b/src/deoptimizer/deoptimizer.h
index 2766ed7c6381a279d6161c058ea33fffe9860426..6c68ea1f96f00df51008a14d3ca7c7e672c47f0f 100644
--- a/src/deoptimizer/deoptimizer.h
+++ b/src/deoptimizer/deoptimizer.h
@@ -39,13 +39,17 @@ enum class BuiltinContinuationMode;
class TranslatedValue {
public:
- // Allocation-less getter of the value.
+ // Allocation-free getter of the value.
// Returns ReadOnlyRoots::arguments_marker() if allocation would be necessary
- // to get the value.
+ // to get the value. In the case of numbers, returns a Smi if possible.
Object GetRawValue() const;
- // Getter for the value, takes care of materializing the subgraph
- // reachable from this value.
+ // Convenience wrapper around GetRawValue (checked).
+ int GetSmiValue() const;
+
+ // Returns the value, possibly materializing it first (and the whole subgraph
+ // reachable from this value). In the case of numbers, returns a Smi if
+ // possible.
Handle<Object> GetValue();
bool IsMaterializedObject() const;
@@ -102,15 +106,14 @@ class TranslatedValue {
static TranslatedValue NewInvalid(TranslatedState* container);
Isolate* isolate() const;
- void MaterializeSimple();
void set_storage(Handle<HeapObject> storage) { storage_ = storage; }
- void set_initialized_storage(Handle<Object> storage);
+ void set_initialized_storage(Handle<HeapObject> storage);
void mark_finished() { materialization_state_ = kFinished; }
void mark_allocated() { materialization_state_ = kAllocated; }
- Handle<Object> GetStorage() {
- DCHECK_NE(kUninitialized, materialization_state());
+ Handle<HeapObject> storage() {
+ DCHECK_NE(materialization_state(), kUninitialized);
return storage_;
}
@@ -120,9 +123,9 @@ class TranslatedValue {
// objects and constructing handles (to get
// to the isolate).
- Handle<Object> storage_; // Contains the materialized value or the
- // byte-array that will be later morphed into
- // the materialized object.
+ Handle<HeapObject> storage_; // Contains the materialized value or the
+ // byte-array that will be later morphed into
+ // the materialized object.
struct MaterializedObjectInfo {
int id_;
@@ -376,7 +379,7 @@ class TranslatedState {
int* value_index, std::stack<int>* worklist);
void EnsureCapturedObjectAllocatedAt(int object_index,
std::stack<int>* worklist);
- Handle<Object> InitializeObjectAt(TranslatedValue* slot);
+ Handle<HeapObject> InitializeObjectAt(TranslatedValue* slot);
void InitializeCapturedObjectAt(int object_index, std::stack<int>* worklist,
const DisallowHeapAllocation& no_allocation);
void InitializeJSObjectAt(TranslatedFrame* frame, int* value_index,
@@ -392,6 +395,9 @@ class TranslatedState {
TranslatedValue* ResolveCapturedObject(TranslatedValue* slot);
TranslatedValue* GetValueByObjectIndex(int object_index);
Handle<Object> GetValueAndAdvance(TranslatedFrame* frame, int* value_index);
+ TranslatedValue* GetResolvedSlot(TranslatedFrame* frame, int value_index);
+ TranslatedValue* GetResolvedSlotAndAdvance(TranslatedFrame* frame,
+ int* value_index);
static uint32_t GetUInt32Slot(Address fp, int slot_index);
static uint64_t GetUInt64Slot(Address fp, int slot_index);
@@ -773,7 +779,7 @@ class FrameDescription {
intptr_t continuation_;
// This must be at the end of the object as the object is allocated larger
- // than it's definition indicate to extend this array.
+ // than its definition indicates to extend this array.
intptr_t frame_content_[1];
intptr_t* GetFrameSlotPointer(unsigned offset) {
diff --git a/test/mjsunit/compiler/regress-1084820.js b/test/mjsunit/compiler/regress-1084820.js
new file mode 100644
index 0000000000000000000000000000000000000000..beb168b413ff045c5aff8e68d2e6da32b27800d6
--- /dev/null
+++ b/test/mjsunit/compiler/regress-1084820.js
@@ -0,0 +1,27 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// Create a map where 'my_property' has HeapObject representation.
+const dummy_obj = {};
+dummy_obj.my_property = 'some HeapObject';
+dummy_obj.my_property = 'some other HeapObject';
+
+function gaga() {
+ const obj = {};
+ // Store a HeapNumber and then a Smi.
+ // This must happen in a loop, even if it's only 2 iterations:
+ for (let j = -3_000_000_000; j <= -1_000_000_000; j += 2_000_000_000) {
+ obj.my_property = j;
+ }
+ // Trigger (soft) deopt.
+ if (!%IsBeingInterpreted()) obj + obj;
+}
+
+%PrepareFunctionForOptimization(gaga);
+gaga();
+gaga();
+%OptimizeFunctionOnNextCall(gaga);
+gaga();
diff --git a/test/mjsunit/compiler/regress-1092650.js b/test/mjsunit/compiler/regress-1092650.js
new file mode 100644
index 0000000000000000000000000000000000000000..ba94375aeb8262536e28d5d409d69115e385c3b3
--- /dev/null
+++ b/test/mjsunit/compiler/regress-1092650.js
@@ -0,0 +1,23 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+// Create map with HeapNumber in field 'a'
+({a: 2**30});
+
+function foo() {
+ return foo.arguments[0];
+}
+
+function main() {
+ foo({a: 42});
+}
+
+%PrepareFunctionForOptimization(foo);
+%PrepareFunctionForOptimization(main);
+main();
+main();
+%OptimizeFunctionOnNextCall(main);
+main();
diff --git a/test/mjsunit/compiler/regress-1094132.js b/test/mjsunit/compiler/regress-1094132.js
new file mode 100644
index 0000000000000000000000000000000000000000..418637d86f8c363b9c0c41c450914e758ff73e9c
--- /dev/null
+++ b/test/mjsunit/compiler/regress-1094132.js
@@ -0,0 +1,78 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function prettyPrinted() {}
+
+function formatFailureText() {
+ if (expectedText.length <= 40 && foundText.length <= 40) {
+ message += ": expected <" + expectedText + "> found <" + foundText + ">";
+ message += ":\nexpected:\n" + expectedText + "\nfound:\n" + foundText;
+ }
+}
+
+function fail(expectedText, found, name_opt) {
+ formatFailureText(expectedText, found, name_opt);
+ if (!a[aProps[i]][aProps[i]]) { }
+}
+
+function deepEquals(a, b) {
+ if (a === 0) return 1 / a === 1 / b;
+ if (typeof a !== typeof a) return false;
+ if (typeof a !== "object" && typeof a !== "function") return false;
+ if (objectClass !== classOf()) return false;
+ if (objectClass === "RegExp") { }
+}
+
+function assertEquals() {
+ if (!deepEquals()) {
+ fail(prettyPrinted(), undefined, undefined);
+ }
+}
+
+({y: {}, x: 0.42});
+
+function gaga() {
+ return {gx: bar.arguments[0], hx: baz.arguments[0]};
+}
+
+function baz() {
+ return gaga();
+}
+
+function bar(obj) {
+ return baz(obj.y);
+}
+
+function foo() {
+ bar({y: {}, x: 42});
+ try { assertEquals() } catch (e) {}
+ try { assertEquals() } catch (e) {}
+ assertEquals();
+}
+
+%PrepareFunctionForOptimization(prettyPrinted);
+%PrepareFunctionForOptimization(formatFailureText);
+%PrepareFunctionForOptimization(fail);
+%PrepareFunctionForOptimization(deepEquals);
+%PrepareFunctionForOptimization(assertEquals);
+%PrepareFunctionForOptimization(gaga);
+%PrepareFunctionForOptimization(baz);
+%PrepareFunctionForOptimization(bar);
+%PrepareFunctionForOptimization(foo);
+try { foo() } catch (e) {}
+%OptimizeFunctionOnNextCall(foo);
+try { foo() } catch (e) {}
+%PrepareFunctionForOptimization(prettyPrinted);
+%PrepareFunctionForOptimization(formatFailureText);
+%PrepareFunctionForOptimization(fail);
+%PrepareFunctionForOptimization(deepEquals);
+%PrepareFunctionForOptimization(assertEquals);
+%PrepareFunctionForOptimization(gaga);
+%PrepareFunctionForOptimization(baz);
+%PrepareFunctionForOptimization(bar);
+%PrepareFunctionForOptimization(foo);
+%OptimizeFunctionOnNextCall(foo);
+try { foo() } catch (e) {}