[turbofan] Update Node type in JSTypedLowering::ReduceJSToNumeric

ReduceJSToNumeric() can fail to update the node type after changing it's operator to JSToNumeric. BUG=chromium:1158049 Change-Id: Iaabb3676f8ad9563903b81de2e7eecdcc92cbc0b Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2593336 Reviewed-by: Nico Hartmann <nicohartmann@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#71771}
2020-12-15 17:42:40 +01:00 · 2020-12-15 17:42:40 +01:00 · 13921eb704
commit 13921eb704
parent b68466f4c9
2 changed files with 19 additions and 0 deletions
--- a/src/compiler/js-typed-lowering.cc
+++ b/src/compiler/js-typed-lowering.cc
@ -1046,6 +1046,9 @@ Reduction JSTypedLowering::ReduceJSToNumeric(Node* node) {
  if (input_type.Is(Type::NonBigIntPrimitive())) {
    // ToNumeric(x:primitive\bigint) => ToNumber(x)
    NodeProperties::ChangeOp(node, javascript()->ToNumber());
+    Type node_type = NodeProperties::GetType(node);
+    NodeProperties::SetType(
+        node, Type::Intersect(node_type, Type::Number(), graph()->zone()));
    return Changed(node).FollowedBy(ReduceJSToNumber(node));
  }
  return NoChange();
--- a/test/mjsunit/compiler/regress-1158049.js
+++ b/test/mjsunit/compiler/regress-1158049.js
@ -0,0 +1,16 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const v2 = Symbol.unscopables;
+
+function v6(v7,v8,v9,v10) {
+  try {
+    let v11 = eval && v2;
+    const v12 = v11++;
+  } catch(v13) {}
+}
+
+for (let v17 = 1; v17 < 10000; v17++) {
+  const v18 = v6();
+}