From 7be3b4c90f93405ae9875f2403341b5684fb4e14 Mon Sep 17 00:00:00 2001 From: bmeurer Date: Thu, 26 Jan 2017 12:52:21 -0800 Subject: [PATCH] [turbofan] Don't try to optimize tail calls to .apply. BUG=chromium:685634 R=ishell@chromium.org Review-Url: https://codereview.chromium.org/2658853002 Cr-Commit-Position: refs/heads/master@{#42713} --- src/compiler/js-call-reducer.cc | 4 ++++ test/mjsunit/regress/regress-crbug-685634.js | 14 ++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 test/mjsunit/regress/regress-crbug-685634.js diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc index 0c890b1c49..8dd1ce79aa 100644 --- a/src/compiler/js-call-reducer.cc +++ b/src/compiler/js-call-reducer.cc @@ -79,6 +79,10 @@ Reduction JSCallReducer::ReduceFunctionPrototypeApply(Node* node) { DCHECK_EQ(IrOpcode::kJSCallFunction, node->opcode()); Node* target = NodeProperties::GetValueInput(node, 0); CallFunctionParameters const& p = CallFunctionParametersOf(node->op()); + // Tail calls to Function.prototype.apply are not properly supported + // down the pipeline, so we disable this optimization completely for + // tail calls (for now). + if (p.tail_call_mode() == TailCallMode::kAllow) return NoChange(); Handle apply = Handle::cast(HeapObjectMatcher(target).Value()); size_t arity = p.arity(); diff --git a/test/mjsunit/regress/regress-crbug-685634.js b/test/mjsunit/regress/regress-crbug-685634.js new file mode 100644 index 0000000000..2e647ce970 --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-685634.js @@ -0,0 +1,14 @@ +// Copyright 2017 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax --harmony-tailcalls + +"use strict"; + +function foo(f) { return f.apply(this, arguments); } +function bar() {} + +foo(bar); +%OptimizeFunctionOnNextCall(foo); +foo(bar);