[turbofan] fix bug in CommonOperatorReducer::ReduceReturn

In this bug, we might replace a phi node with the Dead node even though it still has uses. DeadCodeElimination picks this up and inserts a runtime crash into the code. Bug: chromium:974474 Change-Id: Iea685913c8666806972719bbfb0891e516207d4f Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1669693 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#62352}
2019-06-25 11:44:17 +02:00 · 2019-06-25 11:44:17 +02:00 · 6254e98d5d
commit 6254e98d5d
parent c07a2d618d
2 changed files with 22 additions and 4 deletions
--- a/src/compiler/common-operator-reducer.cc
+++ b/src/compiler/common-operator-reducer.cc
@ -337,9 +337,9 @@ Reduction CommonOperatorReducer::ReduceReturn(Node* node) {
    //        End

    // Now the effect input to the {Return} node can be either an {EffectPhi}
-    // hanging off the same {Merge}, or the {Merge} node is only connected to
-    // the {Return} and the {Phi}, in which case we know that the effect input
-    // must somehow dominate all merged branches.
+    // hanging off the same {Merge}, or the effect chain doesn't depend on the
+    // {Phi} or the {Merge}, in which case we know that the effect input must
+    // somehow dominate all merged branches.

    Node::Inputs control_inputs = control->inputs();
    Node::Inputs value_inputs = value->inputs();
@ -347,7 +347,7 @@ Reduction CommonOperatorReducer::ReduceReturn(Node* node) {
    DCHECK_EQ(control_inputs.count(), value_inputs.count() - 1);
    DCHECK_EQ(IrOpcode::kEnd, graph()->end()->opcode());
    DCHECK_NE(0, graph()->end()->InputCount());
-    if (control->OwnedBy(node, value)) {
+    if (control->OwnedBy(node, value) && value->OwnedBy(node)) {
      for (int i = 0; i < control_inputs.count(); ++i) {
        // Create a new {Return} and connect it to {end}. We don't need to mark
        // {end} as revisit, because we mark {node} as {Dead} below, which was
--- a/test/mjsunit/compiler/regress-crbug-974474.js
+++ b/test/mjsunit/compiler/regress-crbug-974474.js
@ -0,0 +1,18 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(x) {
+    const y = x == 42;
+    () => {y};
+    if (y) { Object(); }
+    [!!y];
+    return y;
+}
+
+%PrepareFunctionForOptimization(foo);
+foo(42); foo(42);
+%OptimizeFunctionOnNextCall(foo);
+foo(42);