[TurboFan] Fix null-dereference on code-gen failure.

BUG=chromium:801097 Change-Id: Ie631822a668b55b0f0790b719e7d8cdde78d95c6 Reviewed-on: https://chromium-review.googlesource.com/861882 Commit-Queue: Ross McIlroy <rmcilroy@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#50544}
2018-01-12 13:37:18 +00:00 · 2018-01-12 13:37:18 +00:00 · 56378899e5
commit 56378899e5
parent df6f18d5eb
3 changed files with 25 additions and 1 deletions
--- a/src/compiler/code-generator.cc
+++ b/src/compiler/code-generator.cc
@ -310,7 +310,10 @@ MaybeHandle<HandlerTable> CodeGenerator::GetHandlerTable() const {
 }

 Handle<Code> CodeGenerator::FinalizeCode() {
-  if (result_ != kSuccess) return Handle<Code>();
+  if (result_ != kSuccess) {
+    tasm()->AbortedCodeGeneration();
+    return Handle<Code>();
+  }

  // Allocate exception handler table.
  Handle<HandlerTable> table = HandlerTable::Empty(isolate());
--- a/src/compiler/pipeline.cc
+++ b/src/compiler/pipeline.cc
@ -2205,6 +2205,8 @@ Handle<Code> PipelineImpl::FinalizeCode() {
  Run<FinalizeCodePhase>();

  Handle<Code> code = data->code();
+  if (code.is_null()) return code;
+
  if (data->profiler_data()) {
 #if ENABLE_DISASSEMBLER
    std::ostringstream os;
--- a/test/mjsunit/compiler/regress-801097.js
+++ b/test/mjsunit/compiler/regress-801097.js
@ -0,0 +1,19 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function GetFunction() {
+  var source = "return ((dividend | 0) / ((";
+  for (var i = 0; i < 0x8000; i++) {
+    source += "a,"
+  }
+  source += "a) | 0)) | 0";
+  return Function("dividend", source);
+}
+
+var func = GetFunction();
+assertThrows("func();");
+%OptimizeFunctionOnNextCall(func);
+assertThrows("func()");