Extra code to diagnose a crash bug.

ripsawridge · Commit bot · commit afba4792dff0 · 2015-09-16T15:38:54.000Z
This will catch an invalid receiver before being passed to a load ic miss handler in the runtime. BUG= R=jkummerow@chromium.org Review URL: https://codereview.chromium.org/1351493002 Cr-Commit-Position: refs/heads/master@{#30768}
diff --git a/src/builtins.cc b/src/builtins.cc
@@ -1739,7 +1739,7 @@ BUILTIN(HandleApiCallAsConstructor) {
 
 
 static void Generate_LoadIC_Miss(MacroAssembler* masm) {
-  LoadIC::GenerateMiss(masm);
+  LoadIC::GenerateMiss(masm, LoadIC::kStressBuiltin);
 }
 
 
diff --git a/src/full-codegen/x64/full-codegen-x64.cc b/src/full-codegen/x64/full-codegen-x64.cc
@@ -2262,14 +2262,15 @@ void FullCodeGenerator::EmitNamedPropertyLoad(Property* prop) {
   if (FeedbackVector()->GetIndex(prop->PropertyFeedbackSlot()) == 6) {
     __ Pop(LoadDescriptor::ReceiverRegister());
 
-    Label ok;
+    Label ok, sound_alarm;
     __ JumpIfSmi(rax, &ok, Label::kNear);
     __ movp(rbx, FieldOperand(rax, HeapObject::kMapOffset));
-    __ CmpInstanceType(rbx, LAST_PRIMITIVE_TYPE);
-    __ j(below_equal, &ok, Label::kNear);
-    __ CmpInstanceType(rbx, FIRST_JS_RECEIVER_TYPE);
-    __ j(above_equal, &ok, Label::kNear);
+    __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
+    __ j(equal, &sound_alarm);
+    __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
+    __ j(not_equal, &ok, Label::kNear);
 
+    __ bind(&sound_alarm);
     __ Push(Smi::FromInt(0xaabbccdd));
     __ Push(LoadDescriptor::ReceiverRegister());
     __ movp(rbx, FieldOperand(LoadDescriptor::ReceiverRegister(),
diff --git a/src/ic/arm/ic-arm.cc b/src/ic/arm/ic-arm.cc
@@ -300,7 +300,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
 
diff --git a/src/ic/arm64/ic-arm64.cc b/src/ic/arm64/ic-arm64.cc
@@ -280,7 +280,7 @@ void LoadIC::GenerateNormal(MacroAssembler* masm, LanguageMode language_mode) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
   ASM_LOCATION("LoadIC::GenerateMiss");
diff --git a/src/ic/ia32/ic-ia32.cc b/src/ic/ia32/ic-ia32.cc
@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // Return address is on the stack.
   __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
   LoadIC_PushArgs(masm);
diff --git a/src/ic/ic.h b/src/ic/ic.h
@@ -323,8 +323,17 @@ class LoadIC : public IC {
   }
 
   // Code generator routines.
-  static void GenerateInitialize(MacroAssembler* masm) { GenerateMiss(masm); }
-  static void GenerateMiss(MacroAssembler* masm);
+
+  // TODO(jkummerow): Remove the stress parameter and these stress constants
+  // when a crash bug is fixed.
+  static const int kStressNone = 0;
+  static const int kStressInit = 1;
+  static const int kStressDispatcher = 2;
+  static const int kStressBuiltin = 3;
+  static void GenerateInitialize(MacroAssembler* masm) {
+    GenerateMiss(masm, kStressInit);
+  }
+  static void GenerateMiss(MacroAssembler* masm, int stress = kStressNone);
   static void GenerateRuntimeGetProperty(MacroAssembler* masm,
                                          LanguageMode language_mode);
   static void GenerateNormal(MacroAssembler* masm, LanguageMode language_mode);
diff --git a/src/ic/mips/ic-mips.cc b/src/ic/mips/ic-mips.cc
@@ -306,7 +306,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is in ra.
   Isolate* isolate = masm->isolate();
 
diff --git a/src/ic/mips64/ic-mips64.cc b/src/ic/mips64/ic-mips64.cc
@@ -303,7 +303,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is on the stack.
   Isolate* isolate = masm->isolate();
 
diff --git a/src/ic/ppc/ic-ppc.cc b/src/ic/ppc/ic-ppc.cc
@@ -310,7 +310,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is in lr.
   Isolate* isolate = masm->isolate();
 
diff --git a/src/ic/x64/ic-x64.cc b/src/ic/x64/ic-x64.cc
@@ -667,14 +667,44 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // The return address is on the stack.
 
   Counters* counters = masm->isolate()->counters();
   __ IncrementCounter(counters->load_miss(), 1);
 
   LoadIC_PushArgs(masm);
 
+  Register receiver = LoadDescriptor::ReceiverRegister();
+
+  // Sanity check: The receiver must be a JS-exposed kind of object,
+  // not something internal (like a Map, or FixedArray). Check this here
+  // to chase after a rare but recurring crash bug.
+  // TODO(jkummerow): Remove this when it has generated a few crash reports.
+
+  Label ok, sound_alarm;
+  __ JumpIfSmi(receiver, &ok, Label::kNear);
+  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
+  __ CompareRoot(rbx, Heap::kMetaMapRootIndex);
+  __ j(equal, &sound_alarm);
+  __ CompareRoot(rbx, Heap::kFixedArrayMapRootIndex);
+  __ j(not_equal, &ok, Label::kNear);
+
+  // This cmpp instruction is only here to identify which of several kinds
+  // of code blocks embedded the MISS code. (handler, dispatcher).
+  __ cmpp(receiver, Immediate(stress));
+
+  __ bind(&sound_alarm);
+  __ Push(Smi::FromInt(0xaabbccdd));
+  __ Push(receiver);
+  __ movp(rbx, FieldOperand(receiver, HeapObject::kMapOffset));
+  __ Push(rbx);
+  __ movp(rbx, FieldOperand(receiver, JSObject::kPropertiesOffset));
+  __ Push(rbx);
+  __ int3();
+
+  __ bind(&ok);
+
   // Perform tail call to the entry.
   int arg_count = 4;
   __ TailCallRuntime(Runtime::kLoadIC_Miss, arg_count, 1);
diff --git a/src/ic/x87/ic-x87.cc b/src/ic/x87/ic-x87.cc
@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {
 }
 
 
-void LoadIC::GenerateMiss(MacroAssembler* masm) {
+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {
   // Return address is on the stack.
   __ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);
   LoadIC_PushArgs(masm);
diff --git a/src/x64/code-stubs-x64.cc b/src/x64/code-stubs-x64.cc
@@ -4348,7 +4348,7 @@ void LoadICStub::GenerateImpl(MacroAssembler* masm, bool in_frame) {
       masm, Code::LOAD_IC, code_flags, receiver, name, feedback, no_reg);
 
   __ bind(&miss);
-  LoadIC::GenerateMiss(masm);
+  LoadIC::GenerateMiss(masm, LoadIC::kStressDispatcher);
 
   __ bind(&load_smi_map);
   __ LoadRoot(receiver_map, Heap::kHeapNumberMapRootIndex);

Original file line number	Diff line number	Diff line change
`@@ -1739,7 +1739,7 @@ BUILTIN(HandleApiCallAsConstructor) {`
`1739`	`1739`
`1740`	`1740`
`1741`	`1741`	`static void Generate_LoadIC_Miss(MacroAssembler* masm) {`
`1742`		`- LoadIC::GenerateMiss(masm);`
	`1742`	`+ LoadIC::GenerateMiss(masm, LoadIC::kStressBuiltin);`
`1743`	`1743`	`}`
`1744`	`1744`
`1745`	`1745`
Original file line number	Diff line number	Diff line change
`@@ -300,7 +300,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {`
`300`	`300`	`}`
`301`	`301`
`302`	`302`
`303`		`-void LoadIC::GenerateMiss(MacroAssembler* masm) {`
	`303`	`+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {`
`304`	`304`	`// The return address is in lr.`
`305`	`305`	`Isolate* isolate = masm->isolate();`
`306`	`306`
Original file line number	Diff line number	Diff line change
`@@ -280,7 +280,7 @@ void LoadIC::GenerateNormal(MacroAssembler* masm, LanguageMode language_mode) {`
`280`	`280`	`}`
`281`	`281`
`282`	`282`
`283`		`-void LoadIC::GenerateMiss(MacroAssembler* masm) {`
	`283`	`+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {`
`284`	`284`	`// The return address is in lr.`
`285`	`285`	`Isolate* isolate = masm->isolate();`
`286`	`286`	`ASM_LOCATION("LoadIC::GenerateMiss");`
Original file line number	Diff line number	Diff line change
`@@ -672,7 +672,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {`
`672`	`672`	`}`
`673`	`673`
`674`	`674`
`675`		`-void LoadIC::GenerateMiss(MacroAssembler* masm) {`
	`675`	`+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {`
`676`	`676`	`// Return address is on the stack.`
`677`	`677`	`__ IncrementCounter(masm->isolate()->counters()->load_miss(), 1);`
`678`	`678`	`LoadIC_PushArgs(masm);`
Original file line number	Diff line number	Diff line change
`@@ -306,7 +306,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {`
`306`	`306`	`}`
`307`	`307`
`308`	`308`
`309`		`-void LoadIC::GenerateMiss(MacroAssembler* masm) {`
	`309`	`+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {`
`310`	`310`	`// The return address is in ra.`
`311`	`311`	`Isolate* isolate = masm->isolate();`
`312`	`312`
Original file line number	Diff line number	Diff line change
`@@ -303,7 +303,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {`
`303`	`303`	`}`
`304`	`304`
`305`	`305`
`306`		`-void LoadIC::GenerateMiss(MacroAssembler* masm) {`
	`306`	`+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {`
`307`	`307`	`// The return address is on the stack.`
`308`	`308`	`Isolate* isolate = masm->isolate();`
`309`	`309`
Original file line number	Diff line number	Diff line change
`@@ -310,7 +310,7 @@ static void LoadIC_PushArgs(MacroAssembler* masm) {`
`310`	`310`	`}`
`311`	`311`
`312`	`312`
`313`		`-void LoadIC::GenerateMiss(MacroAssembler* masm) {`
	`313`	`+void LoadIC::GenerateMiss(MacroAssembler* masm, int stress) {`
`314`	`314`	`// The return address is in lr.`
`315`	`315`	`Isolate* isolate = masm->isolate();`
`316`	`316`