Issue 633586  has been merged into this issue.

mbarbella/jochen: not sure who to ping for this. Could you help me find an owner? Thanks!

Ccing v8 clusterfuzz sheriffs.

Assigning to rossberg for now based on #5. Please help find a better owner if there is one.

Missing bailout point for TurboFan. I am working on a fix.

Yeah, Runtime::kDefineAccessorPropertyUnchecked should not lazy deopt on a new literal, famous last words ...

(gdb) bt
#0  v8::internal::DependentCode::SetMarkedForDeoptimization (code=0x1d5b32c74001, group=v8::internal::DependentCode::kPrototypeCheckGroup) at ../src/objects.cc:14912
#1  0x000000000147853e in v8::internal::DependentCode::MarkCodeForDeoptimization (this=0x192d33a05911, isolate=0x2347020, group=v8::internal::DependentCode::kPrototypeCheckGroup) at ../src/objects.cc:14878
#2  0x000000000143c8db in v8::internal::DependentCode::DeoptimizeDependentCodeGroup (this=0x192d33a05911, isolate=0x2347020, group=v8::internal::DependentCode::kPrototypeCheckGroup) at ../src/objects.cc:14905
#3  0x000000000143c966 in v8::internal::Map::NotifyLeafMapLayoutChange (this=0x137d25e0bf21) at .././src/objects-inl.h:4822
#4  0x000000000144c26f in v8::internal::Map::Normalize (fast_map=..., mode=v8::internal::CLEAR_INOBJECT_PROPERTIES, reason=0x1e3f6d9 "AccessorsOverwritingNonAccessors") at ../src/objects.cc:8776
#5  0x0000000001461006 in v8::internal::Map::TransitionToAccessorProperty (isolate=0x2347020, map=..., name=..., descriptor=0, getter=..., setter=..., attributes=v8::internal::NONE) at ../src/objects.cc:9480
#6  0x00000000013f04f8 in v8::internal::LookupIterator::TransitionToAccessorProperty (this=0x7fffffffc970, getter=..., setter=..., attributes=v8::internal::NONE) at ../src/lookup.cc:458
#7  0x0000000001453615 in v8::internal::JSObject::DefineAccessor (it=0x7fffffffc970, getter=..., setter=..., attributes=v8::internal::NONE) at ../src/objects.cc:8604
#8  0x000000000145db58 in v8::internal::JSObject::DefineAccessor (object=..., name=..., getter=..., setter=..., attributes=v8::internal::NONE) at ../src/objects.cc:8573
#9  0x00000000015ceea3 in v8::internal::__RT_impl_Runtime_DefineAccessorPropertyUnchecked (args=..., isolate=0x2347020) at ../src/runtime/runtime-object.cc:691
#10 0x00000000015ce896 in v8::internal::Runtime_DefineAccessorPropertyUnchecked (args_length=5, args_object=0x7fffffffcb68, isolate=0x2347020) at ../src/runtime/runtime-object.cc:679

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6

commit 667d8ad099f05a1e90c7a43b70af8964ac6ca7a6
Author: mstarzinger <mstarzinger@chromium.org>
Date: Thu Aug 04 10:25:03 2016

[turbofan] Fix missing bailout for accessors in literals.

This adds the missing lazy bailout point when defining accessor pairs
within object literals via Runtime::kDefineAccessorPropertyUnchecked.
The runtime function in question can indeed trigger a lazy deopt due
to a DependentCode::kPrototypeCheckGroup dependency.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-633585
BUG= chromium:633585 

Review-Url: https://codereview.chromium.org/2207413002
Cr-Commit-Position: refs/heads/master@{#38336}

[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/ast/ast.h
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/compiler/ast-graph-builder.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/arm/full-codegen-arm.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/arm64/full-codegen-arm64.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/ia32/full-codegen-ia32.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/mips/full-codegen-mips.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/mips64/full-codegen-mips64.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/ppc/full-codegen-ppc.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/s390/full-codegen-s390.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/x64/full-codegen-x64.cc
[modify] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/src/full-codegen/x87/full-codegen-x87.cc
[add] https://crrev.com/667d8ad099f05a1e90c7a43b70af8964ac6ca7a6/test/mjsunit/regress/regress-crbug-633585.js

Your change meets the bar and is auto-approved for M53 (branch: 2785)

Please merge your change to M53 branch 2785 ASAP (latest before 5:00 PM PT, Friday 08/12) so we can take it in for next week beta. Thank you.

Has been merged to V8's 5.3 branch. For some reason Bugdroid didn't post a notification.

https://chromium.googlesource.com/v8/v8/+/c7f317240d90d95bf34e754e3199fbbb588ecd4c

The following revision refers to this bug:
  https://chromium.googlesource.com/v8/v8.git/+/c7f317240d90d95bf34e754e3199fbbb588ecd4c

commit c7f317240d90d95bf34e754e3199fbbb588ecd4c
Author: Michael Starzinger <mstarzinger@google.com>
Date: Thu Aug 11 08:51:26 2016

Merged: [turbofan] Fix missing bailout for accessors in literals.

Revision: 667d8ad099f05a1e90c7a43b70af8964ac6ca7a6

BUG= chromium:633585 
LOG=N
NOTRY=true
NOPRESUBMIT=true
NOTREECHECKS=true
R=bmeurer@chromium.org
CC=hablich@chromium.org

Review URL: https://codereview.chromium.org/2230983005 .

Cr-Commit-Position: refs/branch-heads/5.3@{#40}
Cr-Branched-From: 820a23aade5e74a92d794e05a0c2b3597f0da4b5-refs/heads/5.3.332@{#2}
Cr-Branched-From: 37538cb2c1b4d75c41af386cb4fedbe5566f5608-refs/heads/master@{#37308}

[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/ast/ast.h
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/compiler/ast-graph-builder.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/arm/full-codegen-arm.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/arm64/full-codegen-arm64.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/ia32/full-codegen-ia32.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/mips/full-codegen-mips.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/mips64/full-codegen-mips64.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/ppc/full-codegen-ppc.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/s390/full-codegen-s390.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/x64/full-codegen-x64.cc
[modify] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/src/full-codegen/x87/full-codegen-x87.cc
[add] https://crrev.com/c7f317240d90d95bf34e754e3199fbbb588ecd4c/test/mjsunit/regress/regress-crbug-633585.js

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot