commit aea3ce3df3dc8838940e5db74c9d459a3ba999e3
author mvstanton <mvstanton@chromium.org> Mon Feb 06 10:18:05 2017
committer Commit bot <commit-bot@chromium.org> Mon Feb 06 10:18:05 2017
tree f39e8bac0d4f379174c885c81b22c73ca0ee83bc
parent f3aa32d971e6a5098abe4bed0ff5c0831bb76bfa

[TypeFeedbackVector] Root feedback vectors at function literal site.

TypeFeedbackVectors are strongly rooted by a closure. However, in modern
JavaScript closures are created and abandoned more freely. An important
closure may not be present in the root-set at time of garbage collection,
even though we've cached optimized code and use it regularly. For
example, consider leaf functions in an event dispatching system. They may
well be "hot," but tragically non-present when we collect the heap.

Until now, we've relied on a weak root to cache the feedback vector in
this case. Since there is no way to signal intent or relative importance,
this weak root is as susceptible to clearing as any other weak root at
garbage collection time.

Meanwhile, the feedback vector has become more important. All of our
ICs store their data there. Literal and regex boilerplates are stored there.
If we lose the vector, then we not only lose optimized code built from
it, we also lose the very feedback which allowed us to create that optimized
code. Therefore it's vital to express that dependency through the root
set.

This CL does this by creating a strong link to a feedback
vector at the instantiation site of the function closure.
This instantiation site is in the code and feedback vector
of the outer closure.

BUG=v8:5456

Review-Url: https://codereview.chromium.org/2674593003
Cr-Commit-Position: refs/heads/master@{#42953}