From 219b28bfe2ea76de63f034eb75b67e8ded339d94 Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Mon, 14 Sep 2020 10:55:01 +0200
Subject: [PATCH] [turbofan] Fix bug in inlining

JSInliningHeuristic::Finalize did not take into account that by the
time it gets called some of the candidate nodes may have changed to
non-call operators.

Bug: chromium:1127319
Change-Id: I180ed36de98455be6b55790ba7bdb4391ff5fd5c
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2409273
Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Auto-Submit: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#69874}
---
 src/compiler/js-inlining-heuristic.cc    |  7 ++---
 test/mjsunit/compiler/regress-1127319.js | 40 ++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 4 deletions(-)
 create mode 100644 test/mjsunit/compiler/regress-1127319.js

diff --git a/src/compiler/js-inlining-heuristic.cc b/src/compiler/js-inlining-heuristic.cc
index 9a568e8d8a..31f8298757 100644
--- a/src/compiler/js-inlining-heuristic.cc
+++ b/src/compiler/js-inlining-heuristic.cc
@@ -260,10 +260,9 @@ void JSInliningHeuristic::Finalize() {
     Candidate candidate = *i;
     candidates_.erase(i);
 
-    // Make sure we don't try to inline dead candidate nodes.
-    if (candidate.node->IsDead()) {
-      continue;
-    }
+    // Ignore this candidate if it's no longer valid.
+    if (!IrOpcode::IsInlineeOpcode(candidate.node->opcode())) continue;
+    if (candidate.node->IsDead()) continue;
 
     // Make sure we have some extra budget left, so that any small functions
     // exposed by this function would be given a chance to inline.
diff --git a/test/mjsunit/compiler/regress-1127319.js b/test/mjsunit/compiler/regress-1127319.js
new file mode 100644
index 0000000000..74d577bdd8
--- /dev/null
+++ b/test/mjsunit/compiler/regress-1127319.js
@@ -0,0 +1,40 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --interrupt-budget=1024
+
+function v1() {
+  const v4 = Reflect;
+  const v8 = [11.11];
+  const v10 = {__proto__:1111, a:-1, c:RegExp, f:v8, d:1111, e:-1};
+  const v12 = [11.11];
+  function v13() {}
+  const v16 = {a:v13, b:v13, c:v13, d:v13, e:v13, f:v13, g:v13, h:v13, i:v13, j:v13};
+}
+
+function foo() {
+  let v22 = Number;
+  v22 = v1;
+  const v23 = false;
+  if (v23) {
+    v22 = Number;
+  } else {
+    function v24() {
+      const v28 = ".Cactus"[0];
+      for (let v32 = 0; v32 < 7; v32++) {}
+    }
+    new Promise(v24);
+    try {
+      for (const v37 of v36) {
+        const v58 = [cactus,cactus,[] = cactus] = v117;
+      }
+    } catch(v119) {
+    }
+  }
+  v22();
+}
+
+for (let i = 0; i < 10; i++) {
+  foo();
+}