[crankshaft] Fix environment handling after leaving inlined tail call.

BUG=chromium:537444, v8:4698 LOG=N TBR=bmeurer@chromium.org Review URL: https://codereview.chromium.org/1859763005 Cr-Commit-Position: refs/heads/master@{#35253}
2016-04-05 02:42:24 -07:00 · 2016-04-05 02:42:24 -07:00 · 792bf2a093
commit 792bf2a093
parent 1354b1bf37
5 changed files with 39 additions and 1 deletions
--- a/src/crankshaft/hydrogen.cc
+++ b/src/crankshaft/hydrogen.cc
@ -13162,6 +13162,11 @@ void HEnvironment::MarkAsTailCaller() {
  frame_type_ = TAIL_CALLER_FUNCTION;
 }

+void HEnvironment::ClearTailCallerMark() {
+  DCHECK_EQ(TAIL_CALLER_FUNCTION, frame_type());
+  frame_type_ = JS_FUNCTION;
+}
+
 HEnvironment* HEnvironment::CopyForInlining(
    Handle<JSFunction> target, int arguments, FunctionLiteral* function,
    HConstant* undefined, InliningKind inlining_kind,
--- a/src/crankshaft/hydrogen.h
+++ b/src/crankshaft/hydrogen.h
@ -625,6 +625,9 @@ class HEnvironment final : public ZoneObject {
      outer = outer->outer_;
    }
    if (drop_extra) outer->Drop(1);
+    if (outer->frame_type() == TAIL_CALLER_FUNCTION) {
+      outer->ClearTailCallerMark();
+    }
    return outer;
  }

@ -685,6 +688,7 @@ class HEnvironment final : public ZoneObject {
  // Marks current environment as tail caller by setting frame type to
  // TAIL_CALLER_FUNCTION.
  void MarkAsTailCaller();
+  void ClearTailCallerMark();

  // True if index is included in the expression stack part of the environment.
  bool HasExpressionAt(int index) const;
--- a/src/crankshaft/lithium.cc
+++ b/src/crankshaft/lithium.cc
@ -512,6 +512,7 @@ LInstruction* LChunkBuilderBase::AssignEnvironment(LInstruction* instr,
                                                   HEnvironment* hydrogen_env) {
  int argument_index_accumulator = 0;
  ZoneList<HValue*> objects_to_materialize(0, zone());
+  DCHECK_NE(TAIL_CALLER_FUNCTION, hydrogen_env->frame_type());
  instr->set_environment(CreateEnvironment(
      hydrogen_env, &argument_index_accumulator, &objects_to_materialize));
  return instr;
--- a/src/deoptimizer.cc
+++ b/src/deoptimizer.cc
@ -1430,7 +1430,7 @@ void Deoptimizer::DoComputeTailCallerFrame(TranslatedFrame* translated_frame,

  bool is_bottommost = (0 == frame_index);
  // Tail caller frame can't be topmost.
-  DCHECK_NE(output_count_ - 1, frame_index);
+  CHECK_NE(output_count_ - 1, frame_index);

  if (trace_scope_ != NULL) {
    PrintF(trace_scope_->file(), "  translating tail caller frame ");
--- a/test/mjsunit/regress/regress-crbug-537444.js
+++ b/test/mjsunit/regress/regress-crbug-537444.js
@ -0,0 +1,28 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --harmony-tailcalls --allow-natives-syntax
+
+"use strict";
+
+function f(x) {
+  return x;
+}
+
+function g(x) {
+  return false ? 0 : f(x, 1);
+}
+
+function h(x) {
+  var z = g(x, 1);
+  return z + 1;
+}
+
+%SetForceInlineFlag(g);
+%SetForceInlineFlag(f);
+
+h(1);
+h(1);
+%OptimizeFunctionOnNextCall(h);
+h("a");