From 2f48fa1130eee60a1b334dd1a05923eea9906a4f Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Mon, 20 Sep 2021 13:51:13 +0200
Subject: [PATCH] [compiler] Disable escape analysis for double elements
 accesses

See the issue for details.

Bug: chromium:1237821
Change-Id: I847229c3d0a5435f956c97a621991915aafdd4e9
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3171156
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/main@{#76937}
---
 src/compiler/escape-analysis.cc | 15 +++++++++------
 src/compiler/escape-analysis.h  |  5 +++++
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/compiler/escape-analysis.cc b/src/compiler/escape-analysis.cc
index 7ff6ab684f..bf693c71dc 100644
--- a/src/compiler/escape-analysis.cc
+++ b/src/compiler/escape-analysis.cc
@@ -510,12 +510,15 @@ int OffsetOfFieldAccess(const Operator* op) {
   return access.offset;
 }
 
-int OffsetOfElementAt(ElementAccess const& access, int index) {
+Maybe<int> OffsetOfElementAt(ElementAccess const& access, int index) {
+  MachineRepresentation representation = access.machine_type.representation();
+  // Double elements accesses are not yet supported. See chromium:1237821.
+  if (representation == MachineRepresentation::kFloat64) return Nothing<int>();
+
   DCHECK_GE(index, 0);
-  DCHECK_GE(ElementSizeLog2Of(access.machine_type.representation()),
-            kTaggedSizeLog2);
-  return access.header_size +
-         (index << ElementSizeLog2Of(access.machine_type.representation()));
+  DCHECK_GE(ElementSizeLog2Of(representation), kTaggedSizeLog2);
+  return Just(access.header_size +
+              (index << ElementSizeLog2Of(representation)));
 }
 
 Maybe<int> OffsetOfElementsAccess(const Operator* op, Node* index_node) {
@@ -527,7 +530,7 @@ Maybe<int> OffsetOfElementsAccess(const Operator* op, Node* index_node) {
   double min = index_type.Min();
   int index = static_cast<int>(min);
   if (index < 0 || index != min || index != max) return Nothing<int>();
-  return Just(OffsetOfElementAt(ElementAccessOf(op), index));
+  return OffsetOfElementAt(ElementAccessOf(op), index);
 }
 
 Node* LowerCompareMapsWithoutLoad(Node* checked_map,
diff --git a/src/compiler/escape-analysis.h b/src/compiler/escape-analysis.h
index 907c7cc087..d3f9768fe7 100644
--- a/src/compiler/escape-analysis.h
+++ b/src/compiler/escape-analysis.h
@@ -139,6 +139,11 @@ class VirtualObject : public Dependable {
     }
     return Just(fields_.at(offset / kTaggedSize));
   }
+  Maybe<Variable> FieldAt(Maybe<int> maybe_offset) const {
+    int offset;
+    if (!maybe_offset.To(&offset)) return Nothing<Variable>();
+    return FieldAt(offset);
+  }
   Id id() const { return id_; }
   int size() const { return static_cast<int>(kTaggedSize * fields_.size()); }
   // Escaped might mean that the object escaped to untracked memory or that it