From 7b9fa44c9824a738239897e5c9dbb299c9e40d8c Mon Sep 17 00:00:00 2001 From: Victor Gomes Date: Thu, 5 Jan 2023 15:26:40 +0100 Subject: [PATCH] [maglev] Fix ProtoApply with spread call By propagating the call arguments mode. Fixed: chromium:1405092 Bug: v8:7700 Change-Id: I6da52fedea1d5a0083d328fdbf39708f956b97cf Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4138261 Reviewed-by: Toon Verwaest Commit-Queue: Toon Verwaest Auto-Submit: Victor Gomes Cr-Commit-Position: refs/heads/main@{#85140} --- src/maglev/maglev-graph-builder.cc | 4 ++-- test/mjsunit/maglev/regress-1405092.js | 29 ++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 2 deletions(-) create mode 100644 test/mjsunit/maglev/regress-1405092.js diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc index d313cae0f5..69c301596d 100644 --- a/src/maglev/maglev-graph-builder.cc +++ b/src/maglev/maglev-graph-builder.cc @@ -3362,8 +3362,8 @@ ValueNode* MaglevGraphBuilder::ReduceFunctionPrototypeApplyCallWithReceiver( } else if (args.count() == 1 || IsNullValue(args[1]) || IsUndefinedValue(args[1])) { // No need for spread. We have only the new receiver. - CallArguments new_args(ConvertReceiverMode::kAny, - {GetTaggedValue(args[0])}); + CallArguments new_args(ConvertReceiverMode::kAny, {GetTaggedValue(args[0])}, + args.mode()); call = ReduceCall(receiver, new_args, feedback_source, speculation_mode); } else { // FunctionPrototypeApply only consider two arguments: the new receiver and diff --git a/test/mjsunit/maglev/regress-1405092.js b/test/mjsunit/maglev/regress-1405092.js new file mode 100644 index 0000000000..81480c9cb0 --- /dev/null +++ b/test/mjsunit/maglev/regress-1405092.js @@ -0,0 +1,29 @@ +// Copyright 2022 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --maglev + +'use strict'; + +function foo(obj, ...args) { + obj['apply'](...args); +} + +var x = 0; + +function bar() { + try { + this.x; + } catch (e) { + x++; + } +} + +%PrepareFunctionForOptimization(foo); +foo(bar); + +%OptimizeMaglevOnNextCall(foo); +foo(bar); + +assertEquals(2, x);