[turbofan] Use ObjectIsReceiver directly for inlining.

Don't bother using %_IsJSReceiver, which immediately gets lowered to ObjectIsReceiver anyways (by the JSIntrinsicLowering), but requires some complicated rewiring of effect/control chains. R=mstarzinger@chromium.org BUG=chromium:640369 Review-Url: https://codereview.chromium.org/2271973003 Cr-Commit-Position: refs/heads/master@{#38864}
2016-08-24 04:09:20 -07:00 · 2016-08-24 04:09:20 -07:00 · 6646d73b6f
commit 6646d73b6f
parent ce1386697f
3 changed files with 24 additions and 8 deletions
--- a/src/compiler/js-inlining.cc
+++ b/src/compiler/js-inlining.cc
@ -16,6 +16,7 @@
 #include "src/compiler/node-matchers.h"
 #include "src/compiler/node-properties.h"
 #include "src/compiler/operator-properties.h"
+#include "src/compiler/simplified-operator.h"
 #include "src/compiler/type-hint-analyzer.h"
 #include "src/isolate-inl.h"
 #include "src/parsing/parse-info.h"
@ -435,20 +436,15 @@ Reduction JSInliner::ReduceJSCall(Node* node, Handle<JSFunction> function) {
      NodeProperties::ReplaceEffectInput(node, create);
      // Insert a check of the return value to determine whether the return
      // value or the implicit receiver should be selected as a result of the
-      // call. The check is wired into the successful control completion.
-      Node* success = graph()->NewNode(common()->IfSuccess(), node);
-      Node* check = graph()->NewNode(
-          javascript()->CallRuntime(Runtime::kInlineIsJSReceiver, 1), node,
-          context, node, success);
+      // call.
+      Node* check = graph()->NewNode(simplified()->ObjectIsReceiver(), node);
      Node* select =
          graph()->NewNode(common()->Select(MachineRepresentation::kTagged),
                           check, node, create);
-      NodeProperties::ReplaceUses(node, select, check, check, node);
+      NodeProperties::ReplaceUses(node, select, node, node, node);
      // Fix-up inputs that have been mangled by the {ReplaceUses} call above.
      NodeProperties::ReplaceValueInput(select, node, 1);  // Fix-up input.
      NodeProperties::ReplaceValueInput(check, node, 0);   // Fix-up input.
-      NodeProperties::ReplaceEffectInput(check, node);     // Fix-up input.
-      NodeProperties::ReplaceControlInput(success, node);  // Fix-up input.
      receiver = create;  // The implicit receiver.
    }

@ -527,6 +523,10 @@ JSOperatorBuilder* JSInliner::javascript() const {

 CommonOperatorBuilder* JSInliner::common() const { return jsgraph()->common(); }

+SimplifiedOperatorBuilder* JSInliner::simplified() const {
+  return jsgraph()->simplified();
+}
+
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8
--- a/src/compiler/js-inlining.h
+++ b/src/compiler/js-inlining.h
@ -38,6 +38,7 @@ class JSInliner final : public AdvancedReducer {
 private:
  CommonOperatorBuilder* common() const;
  JSOperatorBuilder* javascript() const;
+  SimplifiedOperatorBuilder* simplified() const;
  Graph* graph() const;
  JSGraph* jsgraph() const { return jsgraph_; }

--- a/test/mjsunit/regress/regress-crbug-640369.js
+++ b/test/mjsunit/regress/regress-crbug-640369.js
@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function A() {
+  this.x = 0;
+  for (var i = 0; i < max; ) {}
+}
+function foo() {
+  for (var i = 0; i < 1; i = 2) %OptimizeOsr();
+  return new A();
+}
+try { foo(); } catch (e) { }