Fixing failure on GC stress.

This bug was introduced by the CL https://chromium-review.googlesource.com/c/586707 With these changes we make sure that the object being deoptimized does not point to code objects that have been already collected. The CL https://chromium-review.googlesource.com/c/596027 did not fix this problem because we were only invalidating embedded objects reachable from the stack, however it is possible that there are some dangling references in objects not on the stack. Thus we consider all the optimized code objects that are marked for deoptimization. Bug: v8:751825 Change-Id: I3a6410c2bf556fa254c54a25e1f49d7356b9e51d Reviewed-on: https://chromium-review.googlesource.com/601967 Commit-Queue: Juliana Patricia Vicente Franco <jupvfranco@google.com> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#47163}
v8 · Aug 4, 2017 · ea0e1e2 · ea0e1e2
1 parent fd87a3c
commit ea0e1e2
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/src/deoptimizer.cc b/src/deoptimizer.cc
@@ -315,6 +315,8 @@ void Deoptimizer::DeoptimizeMarkedCodeForContext(Context* context) {
     Object* next = code->next_code_link();
 
     if (code->marked_for_deoptimization()) {
+      // Make sure that this object does not point to any garbage.
+      code->InvalidateEmbeddedObjects();
       if (prev != NULL) {
         // Skip this code in the optimized code list.
         prev->set_next_code_link(next);
@@ -349,9 +351,6 @@ void Deoptimizer::DeoptimizeMarkedCodeForContext(Context* context) {
                        safe_to_deopt_topmost_optimized_code);
         // Replace the current pc on the stack with the trampoline.
         it.frame()->set_pc(code->instruction_start() + trampoline_pc);
-
-        // Make sure that this object does not point to any garbage.
-        code->InvalidateEmbeddedObjects();
       }
     }
   }