deps: cherry-pick 29691f8063ccd from V8 upstream

Original commit message: [snapshot] correctly clear feedback vector before serialization. R=jgruber@chromium.org Bug: v8:6422 Change-Id: Ib1075259325627451060b3a0a41cad5c917dc30e Reviewed-on: https://chromium-review.googlesource.com/650246 Reviewed-by: Jakob Gruber <jgruber@chromium.org> Commit-Queue: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/master@{#47814}
alibaba · Dec 8, 2017 · d660ead · d660ead
1 parent f722d31
commit d660ead
Show file tree

Hide file tree

Showing 5 changed files with 13 additions and 15 deletions.
diff --git a/deps/v8/src/feedback-vector.cc b/deps/v8/src/feedback-vector.cc
@@ -341,9 +341,7 @@ void FeedbackVector::EvictOptimizedCodeMarkedForDeoptimization(
   }
 }
 
-void FeedbackVector::ClearSlots(JSFunction* host_function) {
-  Isolate* isolate = GetIsolate();
-
+bool FeedbackVector::ClearSlots(Isolate* isolate) {
   Object* uninitialized_sentinel =
       FeedbackVector::RawUninitializedSentinel(isolate);
 
@@ -455,9 +453,7 @@ void FeedbackVector::ClearSlots(JSFunction* host_function) {
       }
     }
   }
-  if (feedback_updated) {
-    IC::OnFeedbackChanged(isolate, this, host_function);
-  }
+  return feedback_updated;
 }
 
 Handle<FixedArray> FeedbackNexus::EnsureArrayOfSize(int length) {

diff --git a/deps/v8/src/feedback-vector.h b/deps/v8/src/feedback-vector.h
@@ -223,8 +223,8 @@ class FeedbackVector : public HeapObject {
   DECL_PRINTER(FeedbackVector)
   DECL_VERIFIER(FeedbackVector)
 
-  // Clears the vector slots.
-  void ClearSlots(JSFunction* host_function);
+  // Clears the vector slots. Return true if feedback has changed.
+  bool ClearSlots(Isolate* isolate);
 
   // The object that indicates an uninitialized cache.
   static inline Handle<Symbol> UninitializedSentinel(Isolate* isolate);

diff --git a/deps/v8/src/objects.cc b/deps/v8/src/objects.cc
@@ -14186,7 +14186,10 @@ int AbstractCode::SourceStatementPosition(int offset) {
 void JSFunction::ClearTypeFeedbackInfo() {
   if (feedback_vector_cell()->value()->IsFeedbackVector()) {
     FeedbackVector* vector = feedback_vector();
-    vector->ClearSlots(this);
+    Isolate* isolate = GetIsolate();
+    if (vector->ClearSlots(isolate)) {
+      IC::OnFeedbackChanged(isolate, vector, this);
+    }
   }
 }
 

diff --git a/deps/v8/src/snapshot/partial-serializer.cc b/deps/v8/src/snapshot/partial-serializer.cc
@@ -91,11 +91,8 @@ void PartialSerializer::SerializeObject(HeapObject* obj, HowToCode how_to_code,
 
   FlushSkip(skip);
 
-  // Clear literal boilerplates.
-  if (obj->IsJSFunction()) {
-    JSFunction* function = JSFunction::cast(obj);
-    function->ClearTypeFeedbackInfo();
-  }
+  // Clear literal boilerplates and feedback.
+  if (obj->IsFeedbackVector()) FeedbackVector::cast(obj)->ClearSlots(isolate_);
 
   if (obj->IsJSObject()) {
     JSObject* jsobj = JSObject::cast(obj);

diff --git a/deps/v8/test/cctest/test-feedback-vector.cc b/deps/v8/test/cctest/test-feedback-vector.cc
@@ -182,7 +182,9 @@ TEST(VectorSlotClearing) {
   Handle<AllocationSite> site = factory->NewAllocationSite();
   vector->Set(helper.slot(2), *site);
 
-  vector->ClearSlots(*f);
+  if (vector->ClearSlots(isolate)) {
+    IC::OnFeedbackChanged(isolate, *vector, *f);
+  }
 
   // The feedback vector slots are cleared. AllocationSites are still granted
   // an exemption from clearing, as are smis.