[maglev] Fix ProtoApply with spread call

By propagating the call arguments mode. Fixed: chromium:1405092 Bug: v8:7700 Change-Id: I6da52fedea1d5a0083d328fdbf39708f956b97cf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4138261 Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Toon Verwaest <verwaest@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#85140}
2023-01-05 15:26:40 +01:00 · 2023-01-05 15:26:40 +01:00 · 7b9fa44c98
commit 7b9fa44c98
parent 027afd4273
2 changed files with 31 additions and 2 deletions
--- a/src/maglev/maglev-graph-builder.cc
+++ b/src/maglev/maglev-graph-builder.cc
@ -3362,8 +3362,8 @@ ValueNode* MaglevGraphBuilder::ReduceFunctionPrototypeApplyCallWithReceiver(
  } else if (args.count() == 1 || IsNullValue(args[1]) ||
             IsUndefinedValue(args[1])) {
    // No need for spread. We have only the new receiver.
-    CallArguments new_args(ConvertReceiverMode::kAny,
-                           {GetTaggedValue(args[0])});
+    CallArguments new_args(ConvertReceiverMode::kAny, {GetTaggedValue(args[0])},
+                           args.mode());
    call = ReduceCall(receiver, new_args, feedback_source, speculation_mode);
  } else {
    // FunctionPrototypeApply only consider two arguments: the new receiver and
--- a/test/mjsunit/maglev/regress-1405092.js
+++ b/test/mjsunit/maglev/regress-1405092.js
@ -0,0 +1,29 @@
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --maglev
+
+'use strict';
+
+function foo(obj, ...args) {
+  obj['apply'](...args);
+}
+
+var x = 0;
+
+function bar() {
+  try {
+    this.x;
+  } catch (e) {
+    x++;
+  }
+}
+
+%PrepareFunctionForOptimization(foo);
+foo(bar);
+
+%OptimizeMaglevOnNextCall(foo);
+foo(bar);
+
+assertEquals(2, x);