[turbofan] Fix two bugs in ReduceArrayIteratorPrototypeNext

- Add missing uses of MapInference::NoChange. - Insert map checks even if inferred maps were reliable, because they were inferred for an earlier effect input. Bug: chromium:958420, chromium:958350, v8:9197 Change-Id: Id7677b1fc6f1e09dc12ae178f1155e4245b4e3e6 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593077 Auto-Submit: Georg Neis <neis@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#61157}
2019-05-02 11:15:25 +02:00 · 2019-05-02 11:15:25 +02:00 · 053393d9fd
commit 053393d9fd
parent 06b749ebae
3 changed files with 43 additions and 5 deletions
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@ -4921,6 +4921,7 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
      CreateArrayIteratorParametersOf(iterator->op()).kind();
  Node* iterated_object = NodeProperties::GetValueInput(iterator, 0);
  Node* iterator_effect = NodeProperties::GetEffectInput(iterator);
+
  MapInference inference(broker(), iterated_object, iterator_effect);
  if (!inference.HaveMaps()) return inference.NoChange();
  MapHandles const& iterated_object_maps = inference.GetMaps();
@ -4932,26 +4933,28 @@ Reduction JSCallReducer::ReduceArrayIteratorPrototypeNext(Node* node) {
    // TurboFan doesn't support loading from BigInt typed arrays yet.
    if (elements_kind == BIGUINT64_ELEMENTS ||
        elements_kind == BIGINT64_ELEMENTS) {
-      return NoChange();
+      return inference.NoChange();
    }
    for (Handle<Map> map : iterated_object_maps) {
      MapRef iterated_object_map(broker(), map);
      if (iterated_object_map.elements_kind() != elements_kind) {
-        return NoChange();
+        return inference.NoChange();
      }
    }
  } else {
    if (!CanInlineArrayIteratingBuiltin(broker(), iterated_object_maps,
                                        &elements_kind)) {
-      return NoChange();
+      return inference.NoChange();
    }
  }

  if (IsHoleyElementsKind(elements_kind)) {
    if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
  }
-  inference.RelyOnMapsPreferStability(dependencies(), jsgraph(), &effect,
-                                      control, p.feedback());
+  // Since the map inference was done relative to {iterator_effect} rather than
+  // {effect}, we need to guard the use of the map(s) even when the inference
+  // was reliable.
+  inference.InsertMapChecks(jsgraph(), &effect, control, p.feedback());

  if (IsFixedTypedArrayElementsKind(elements_kind)) {
    // See if we can skip the detaching check.
--- a/test/mjsunit/compiler/regress-958350.js
+++ b/test/mjsunit/compiler/regress-958350.js
@ -0,0 +1,17 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(o) {
+  for (const x of o) {
+    o[100] = 1;
+    try { x.push(); } catch (e) {}
+  }
+}
+
+foo([1]);
+foo([1]);
+%OptimizeFunctionOnNextCall(foo);
+foo([1]);
--- a/test/mjsunit/compiler/regress-958420.js
+++ b/test/mjsunit/compiler/regress-958420.js
@ -0,0 +1,18 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var a = [];
+
+function foo() {
+  return a[Symbol.iterator]().next();
+}
+
+a.__proto__.push(5);
+a.bla = {};
+
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();