[turbofan] Always pass the right arity to calls.
We didn't update the arguments count properly when changing the JSCall node to a direct Call node. Bug: chromium:936302, v8:8895 Change-Id: I59a39a07e41151d8eaa2e1a1ea7b1835e00fb501 Reviewed-on: https://chromium-review.googlesource.com/c/1491191 Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#59885}
This commit is contained in:
parent
a32e37edac
commit
834c4b3568
@ -1674,7 +1674,6 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
|
||||
// Compute flags for the call.
|
||||
CallDescriptor::Flags flags = CallDescriptor::kNeedsFrameState;
|
||||
Node* new_target = jsgraph()->UndefinedConstant();
|
||||
Node* argument_count = jsgraph()->Constant(arity);
|
||||
|
||||
if (NeedsArgumentAdaptorFrame(shared, arity)) {
|
||||
// Check if it's safe to skip the arguments adaptor for {shared},
|
||||
@ -1700,7 +1699,8 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
|
||||
|
||||
// Patch {node} to a direct call.
|
||||
node->InsertInput(graph()->zone(), arity + 2, new_target);
|
||||
node->InsertInput(graph()->zone(), arity + 3, argument_count);
|
||||
node->InsertInput(graph()->zone(), arity + 3,
|
||||
jsgraph()->Constant(arity));
|
||||
NodeProperties::ChangeOp(node,
|
||||
common()->Call(Linkage::GetJSCallDescriptor(
|
||||
graph()->zone(), false, 1 + arity,
|
||||
@ -1711,7 +1711,7 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
|
||||
node->InsertInput(graph()->zone(), 0,
|
||||
jsgraph()->HeapConstant(callable.code()));
|
||||
node->InsertInput(graph()->zone(), 2, new_target);
|
||||
node->InsertInput(graph()->zone(), 3, argument_count);
|
||||
node->InsertInput(graph()->zone(), 3, jsgraph()->Constant(arity));
|
||||
node->InsertInput(
|
||||
graph()->zone(), 4,
|
||||
jsgraph()->Constant(shared.internal_formal_parameter_count()));
|
||||
@ -1737,12 +1737,12 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
|
||||
Node* stub_code = jsgraph()->HeapConstant(callable.code());
|
||||
node->InsertInput(graph()->zone(), 0, stub_code); // Code object.
|
||||
node->InsertInput(graph()->zone(), 2, new_target);
|
||||
node->InsertInput(graph()->zone(), 3, argument_count);
|
||||
node->InsertInput(graph()->zone(), 3, jsgraph()->Constant(arity));
|
||||
NodeProperties::ChangeOp(node, common()->Call(call_descriptor));
|
||||
} else {
|
||||
// Patch {node} to a direct call.
|
||||
node->InsertInput(graph()->zone(), arity + 2, new_target);
|
||||
node->InsertInput(graph()->zone(), arity + 3, argument_count);
|
||||
node->InsertInput(graph()->zone(), arity + 3, jsgraph()->Constant(arity));
|
||||
NodeProperties::ChangeOp(node,
|
||||
common()->Call(Linkage::GetJSCallDescriptor(
|
||||
graph()->zone(), false, 1 + arity,
|
||||
|
25
test/mjsunit/regress/regress-crbug-936302.js
Normal file
25
test/mjsunit/regress/regress-crbug-936302.js
Normal file
@ -0,0 +1,25 @@
|
||||
// Copyright 2019 the V8 project authors. All rights reserved.
|
||||
// Use of this source code is governed by a BSD-style license that can be
|
||||
// found in the LICENSE file.
|
||||
|
||||
// Flags: --allow-natives-syntax --opt
|
||||
|
||||
(function() {
|
||||
'use strict';
|
||||
|
||||
function baz() {
|
||||
'use asm';
|
||||
function f() {}
|
||||
return {f: f};
|
||||
}
|
||||
|
||||
function foo(x) {
|
||||
baz(x);
|
||||
%DeoptimizeFunction(foo);
|
||||
}
|
||||
|
||||
foo();
|
||||
foo();
|
||||
%OptimizeFunctionOnNextCall(foo);
|
||||
foo();
|
||||
})();
|
Loading…
Reference in New Issue
Block a user