src/v8/test/mjsunit/regress/regress-718891.js - cobalt - Git at Google

 // Copyright 2017 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.

 // Flags: --allow-natives-syntax --expose-gc

 function Data() {
 }
 Data.prototype = { x: 1 };

 function TriggerDeopt() {
   Data.prototype = { x: 2 };
 }

 function TestDontSelfHealWithDeoptedCode(run_unoptimized, ClosureFactory) {
   // Create some function closures which don't have
   // optimized code.
   var unoptimized_closure = ClosureFactory();
   if (run_unoptimized) {
     unoptimized_closure();
   }

   // Run and optimize the code (do this in a separate function
   // so that the closure doesn't leak in a dead register).
   (() => {
     var optimized_closure = ClosureFactory();
     // Use .call to avoid the CallIC retaining the JSFunction in the
     // feedback vector via a weak map, which would mean it wouldn't be
     // collected in the minor gc below.
     optimized_closure.call(undefined);
     %OptimizeFunctionOnNextCall(optimized_closure);
     optimized_closure.call(undefined);
   })();

   // Optimize a dummy function, just so it gets linked into the
   // Contexts optimized_functions list head, which is in the old
   // space, and the link from to the optimized_closure's JSFunction
   // moves to the inline link in dummy's JSFunction in the new space,
   // otherwise optimized_closure's JSFunction will be retained by the
   // old->new remember set.
   (() => {
     var dummy = function() { return 1; };
     %OptimizeFunctionOnNextCall(dummy);
     dummy();
   })();

   // GC the optimized closure with a minor GC - the optimized
   // code will remain in the feedback vector.
   gc(true);

   // Trigger deoptimization by changing the prototype of Data. This
   // will mark the code for deopt, but since no live JSFunction has
   // optimized code, we won't clear the feedback vector.
   TriggerDeopt();

   // Call pre-existing functions, these will try to self-heal with the
   // optimized code in the feedback vector op, but should bail-out
   // since the code is marked for deoptimization.
   unoptimized_closure();
 }

 // Run with the unoptimized closure both uncomplied and compiled for the
 // interpreter initially, to test self healing on both CompileLazy and
 // the InterpreterEntryTrampoline respectively.
 TestDontSelfHealWithDeoptedCode(false,
         () => { return () => { return new Data() }});
 TestDontSelfHealWithDeoptedCode(true,
         () => { return () => { return new Data() }});
	// Copyright 2017 the V8 project authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.

	// Flags: --allow-natives-syntax --expose-gc

	function Data() {
	}
	Data.prototype = { x: 1 };

	function TriggerDeopt() {
	Data.prototype = { x: 2 };
	}

	function TestDontSelfHealWithDeoptedCode(run_unoptimized, ClosureFactory) {
	// Create some function closures which don't have
	// optimized code.
	var unoptimized_closure = ClosureFactory();
	if (run_unoptimized) {
	unoptimized_closure();
	}

	// Run and optimize the code (do this in a separate function
	// so that the closure doesn't leak in a dead register).
	(() => {
	var optimized_closure = ClosureFactory();
	// Use .call to avoid the CallIC retaining the JSFunction in the
	// feedback vector via a weak map, which would mean it wouldn't be
	// collected in the minor gc below.
	optimized_closure.call(undefined);
	%OptimizeFunctionOnNextCall(optimized_closure);
	optimized_closure.call(undefined);
	})();

	// Optimize a dummy function, just so it gets linked into the
	// Contexts optimized_functions list head, which is in the old
	// space, and the link from to the optimized_closure's JSFunction
	// moves to the inline link in dummy's JSFunction in the new space,
	// otherwise optimized_closure's JSFunction will be retained by the
	// old->new remember set.
	(() => {
	var dummy = function() { return 1; };
	%OptimizeFunctionOnNextCall(dummy);
	dummy();
	})();

	// GC the optimized closure with a minor GC - the optimized
	// code will remain in the feedback vector.
	gc(true);

	// Trigger deoptimization by changing the prototype of Data. This
	// will mark the code for deopt, but since no live JSFunction has
	// optimized code, we won't clear the feedback vector.
	TriggerDeopt();

	// Call pre-existing functions, these will try to self-heal with the
	// optimized code in the feedback vector op, but should bail-out
	// since the code is marked for deoptimization.
	unoptimized_closure();
	}

	// Run with the unoptimized closure both uncomplied and compiled for the
	// interpreter initially, to test self healing on both CompileLazy and
	// the InterpreterEntryTrampoline respectively.
	TestDontSelfHealWithDeoptedCode(false,
	() => { return () => { return new Data() }});
	TestDontSelfHealWithDeoptedCode(true,
	() => { return () => { return new Data() }});