[turbofan] Use correct lazy frame state for JSCreate.

If JSCreate (which corresponds to %NewObject) would ever trigger a lazy deopt, we would deopt after the constructor call, skipping all the initialization and what else in the constructor function, which is wrong. Instead we can use the eager bailout point right before the constructor function, because allocation is not observable and so we can safely repeat the %NewObject in case of lazy bailout. R=yangguo@chromium.org BUG=v8:4544 LOG=n Review URL: https://codereview.chromium.org/1530583004 Cr-Commit-Position: refs/heads/master@{#32880}
2015-12-15 23:52:20 -08:00 · 2015-12-15 23:52:20 -08:00 · 476296b96b
commit 476296b96b
parent 44a8fec8a1
1 changed files with 3 additions and 3 deletions
--- a/src/compiler/js-inlining.cc
+++ b/src/compiler/js-inlining.cc
@ -445,9 +445,9 @@ Reduction JSInliner::ReduceJSCall(Node* node, Handle<JSFunction> function) {
      NeedsImplicitReceiver(function, info_->isolate())) {
    Node* effect = NodeProperties::GetEffectInput(node);
    Node* context = NodeProperties::GetContextInput(node);
-    Node* create = jsgraph_->graph()->NewNode(jsgraph_->javascript()->Create(),
-                                              call.target(), call.new_target(),
-                                              context, frame_state, effect);
+    Node* create = jsgraph_->graph()->NewNode(
+        jsgraph_->javascript()->Create(), call.target(), call.new_target(),
+        context, call.frame_state_before(), effect);
    NodeProperties::ReplaceEffectInput(node, create);
    // Insert a check of the return value to determine whether the return value
    // or the implicit receiver should be selected as a result of the call.