[turbofan] Disable bogus lowering of builtin tail-calls.

The TurboFan backends currently don't support tail-calls to CPP builtins because the semantics of kJavaScriptCallArgCountRegister has different semantics for stub call descriptors versus JavaScript call descriptors. This is actually a short-coming of the backends and follow-up work will make the backends more robust in that regard to fail hard on unsupported constructs like that. This just disables the lowering creating such a tail-call. R=bmeurer@chromium.org BUG=chromium:658691 TEST=mjsunit/regress/regress-crbug-658691 Review-Url: https://codereview.chromium.org/2447383002 Cr-Commit-Position: refs/heads/master@{#40590}
2016-10-26 05:48:42 -07:00 · 2016-10-26 05:48:42 -07:00 · 2ab2ec2243
commit 2ab2ec2243
parent 87ec1673e4
2 changed files with 27 additions and 1 deletions
--- a/src/compiler/js-typed-lowering.cc
+++ b/src/compiler/js-typed-lowering.cc
@ -1672,6 +1672,7 @@ void ReduceBuiltin(Isolate* isolate, JSGraph* jsgraph, Node* node,
  const bool is_construct = (node->opcode() == IrOpcode::kJSCallConstruct);

  DCHECK(Builtins::HasCppImplementation(builtin_index));
+  DCHECK_EQ(0, flags & CallDescriptor::kSupportsTailCalls);

  Node* target = NodeProperties::GetValueInput(node, 0);
  Node* new_target = is_construct
@ -1877,7 +1878,8 @@ Reduction JSTypedLowering::ReduceJSCallFunction(Node* node) {
          node, common()->Call(Linkage::GetStubCallDescriptor(
                    isolate(), graph()->zone(), callable.descriptor(),
                    1 + arity, flags)));
-    } else if (is_builtin && Builtins::HasCppImplementation(builtin_index)) {
+    } else if (is_builtin && Builtins::HasCppImplementation(builtin_index) &&
+               ((flags & CallDescriptor::kSupportsTailCalls) == 0)) {
      // Patch {node} to a direct CEntryStub call.
      ReduceBuiltin(isolate(), jsgraph(), node, builtin_index, arity, flags);
    } else {
--- a/test/mjsunit/regress/regress-crbug-658691.js
+++ b/test/mjsunit/regress/regress-crbug-658691.js
@ -0,0 +1,24 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --harmony-tailcalls --ignition --turbo
+
+// The {f} function is compiled using TurboFan.
+// 1) The call to {Reflect.set} has no arguments adaptation.
+// 2) The call to {Reflect.set} is in tail position.
+function f(a, b, c) {
+  "use strict";
+  return Reflect.set({});
+}
+
+// The {g} function is compiled using Ignition.
+// 1) The call to {f} requires arguments adaptation.
+// 2) The call to {f} is not in tail position.
+function g() {
+  return f() + "-no-tail";
+}
+
+assertEquals("true-no-tail", g());
+%OptimizeFunctionOnNextCall(f);
+assertEquals("true-no-tail", g());