[ignition] BytecodeGraphBuilder: Merge correct environment in try block

Making new nodes inside of exception-handled blocks fiddles around with the current environment to merge the exception paths. In particular, the current environment pointer is mutated. This patch ensures that when we merge the fast and slow paths of the LdaContextLookup, we actually merge the correct environment and do not accidentally merge the exceptional environment. BUG=chromium:651394 Review-Url: https://codereview.chromium.org/2379043002 Cr-Commit-Position: refs/heads/master@{#39878}
2016-09-29 08:17:52 -07:00 · 2016-09-29 08:17:52 -07:00 · 537c855882
commit 537c855882
parent 497af7fca5
3 changed files with 42 additions and 5 deletions
--- a/src/compiler/bytecode-graph-builder.cc
+++ b/src/compiler/bytecode-graph-builder.cc
@ -906,18 +906,16 @@ void BytecodeGraphBuilder::BuildLdaLookupContextSlot(TypeofMode typeof_mode) {
                extension_slot, jsgraph()->TheHoleConstant());

    NewBranch(check_no_extension);
-    Environment* false_environment = environment();
    Environment* true_environment = environment()->CopyForConditional();

    {
-      set_environment(false_environment);
      NewIfFalse();
      // If there is an extension, merge into the slow path.
      if (slow_environment == nullptr) {
-        slow_environment = false_environment;
+        slow_environment = environment();
        NewMerge();
      } else {
-        slow_environment->Merge(false_environment);
+        slow_environment->Merge(environment());
      }
    }

@ -956,7 +954,7 @@ void BytecodeGraphBuilder::BuildLdaLookupContextSlot(TypeofMode typeof_mode) {
    environment()->BindAccumulator(value, &states);
  }

-  fast_environment->Merge(slow_environment);
+  fast_environment->Merge(environment());
  set_environment(fast_environment);
 }

--- a/test/mjsunit/regress/regress-crbug-651403-global.js
+++ b/test/mjsunit/regress/regress-crbug-651403-global.js
@ -0,0 +1,20 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --ignition-staging --turbo --always-opt
+
+x = "";
+
+function f () {
+  function g() {
+    try {
+      eval('');
+      return x;
+    } catch(e) {
+    }
+  }
+  return g();
+}
+
+f();
--- a/test/mjsunit/regress/regress-crbug-651403.js
+++ b/test/mjsunit/regress/regress-crbug-651403.js
@ -0,0 +1,19 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --ignition-staging --turbo --always-opt
+
+function f () {
+  var x = "";
+  function g() {
+    try {
+      eval('');
+      return x;
+    } catch(e) {
+    }
+  }
+  return g();
+}
+
+f();