[turbofan] Fix LoadElement with variable index scalar replacement.

When replacing a LoadElement with variable index with its known fields, only do it if the types match, otherwise we end up with a graph that representation selection cannot handle. That can only happen in dead code, but TurboFan would nevertheless crash in representation selection. Bug: chromium:893982, chromium:899524, v8:5267, v8:6200 Change-Id: I01e645d5e01bffb911d216d37d923792d9d0beab Reviewed-on: https://chromium-review.googlesource.com/c/1303721 Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#57059}
2018-10-28 10:57:33 +01:00 · 2018-10-28 10:57:33 +01:00 · 104d75214e
commit 104d75214e
parent dc70cb6694
2 changed files with 41 additions and 2 deletions
--- a/src/compiler/escape-analysis.cc
+++ b/src/compiler/escape-analysis.cc
@ -634,7 +634,9 @@ void ReduceNode(const Operator* op, EscapeAnalysisTracker::Scope* current,
        Node* value1;
        if (length == 1 &&
            vobject->FieldAt(OffsetOfElementAt(access, 0)).To(&var) &&
-            current->Get(var).To(&value)) {
+            current->Get(var).To(&value) &&
+            (value == nullptr ||
+             NodeProperties::GetType(value).Is(access.type))) {
          // The {object} has no elements, and we know that the LoadElement
          // {index} must be within bounds, thus it must always yield this
          // one element of {object}.
@ -643,8 +645,12 @@ void ReduceNode(const Operator* op, EscapeAnalysisTracker::Scope* current,
        } else if (length == 2 &&
                   vobject->FieldAt(OffsetOfElementAt(access, 0)).To(&var0) &&
                   current->Get(var0).To(&value0) &&
+                   (value0 == nullptr ||
+                    NodeProperties::GetType(value0).Is(access.type)) &&
                   vobject->FieldAt(OffsetOfElementAt(access, 1)).To(&var1) &&
-                   current->Get(var1).To(&value1)) {
+                   current->Get(var1).To(&value1) &&
+                   (value1 == nullptr ||
+                    NodeProperties::GetType(value1).Is(access.type))) {
          if (value0 && value1) {
            // The {object} has exactly two elements, so the LoadElement
            // must return one of them (i.e. either the element at index
--- a/test/mjsunit/regress/regress-crbug-899524.js
+++ b/test/mjsunit/regress/regress-crbug-899524.js
@ -0,0 +1,33 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function empty() { }
+
+function baz(expected, found) {
+  var start = "";
+  found.length, start + 'x';
+  if (expected.length === found.length) {
+    for (var i = 0; i < expected.length; ++i) {
+      empty(found[i]);
+    }
+  }
+}
+
+baz([1], new (class A extends Array {}));
+
+(function () {
+  "use strict";
+  function bar() {
+    baz([1,2], arguments);
+  }
+  function foo() {
+    bar(2147483648,-[]);
+  }
+  foo();
+  foo();
+  %OptimizeFunctionOnNextCall(foo);
+  foo();
+})();