[turbofan] Always pass the right arity to calls.

We didn't update the arguments count properly when changing the JSCall
node to a direct Call node.

Bug: chromium:936302, v8:8895
Change-Id: I59a39a07e41151d8eaa2e1a1ea7b1835e00fb501
Reviewed-on: https://chromium-review.googlesource.com/c/1491191
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59885}
This commit is contained in:
Benedikt Meurer 2019-02-27 07:45:37 +01:00 committed by Commit Bot
parent a32e37edac
commit 834c4b3568
2 changed files with 30 additions and 5 deletions

View File

@ -1674,7 +1674,6 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
// Compute flags for the call.
CallDescriptor::Flags flags = CallDescriptor::kNeedsFrameState;
Node* new_target = jsgraph()->UndefinedConstant();
Node* argument_count = jsgraph()->Constant(arity);
if (NeedsArgumentAdaptorFrame(shared, arity)) {
// Check if it's safe to skip the arguments adaptor for {shared},
@ -1700,7 +1699,8 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
// Patch {node} to a direct call.
node->InsertInput(graph()->zone(), arity + 2, new_target);
node->InsertInput(graph()->zone(), arity + 3, argument_count);
node->InsertInput(graph()->zone(), arity + 3,
jsgraph()->Constant(arity));
NodeProperties::ChangeOp(node,
common()->Call(Linkage::GetJSCallDescriptor(
graph()->zone(), false, 1 + arity,
@ -1711,7 +1711,7 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
node->InsertInput(graph()->zone(), 0,
jsgraph()->HeapConstant(callable.code()));
node->InsertInput(graph()->zone(), 2, new_target);
node->InsertInput(graph()->zone(), 3, argument_count);
node->InsertInput(graph()->zone(), 3, jsgraph()->Constant(arity));
node->InsertInput(
graph()->zone(), 4,
jsgraph()->Constant(shared.internal_formal_parameter_count()));
@ -1737,12 +1737,12 @@ Reduction JSTypedLowering::ReduceJSCall(Node* node) {
Node* stub_code = jsgraph()->HeapConstant(callable.code());
node->InsertInput(graph()->zone(), 0, stub_code); // Code object.
node->InsertInput(graph()->zone(), 2, new_target);
node->InsertInput(graph()->zone(), 3, argument_count);
node->InsertInput(graph()->zone(), 3, jsgraph()->Constant(arity));
NodeProperties::ChangeOp(node, common()->Call(call_descriptor));
} else {
// Patch {node} to a direct call.
node->InsertInput(graph()->zone(), arity + 2, new_target);
node->InsertInput(graph()->zone(), arity + 3, argument_count);
node->InsertInput(graph()->zone(), arity + 3, jsgraph()->Constant(arity));
NodeProperties::ChangeOp(node,
common()->Call(Linkage::GetJSCallDescriptor(
graph()->zone(), false, 1 + arity,

View File

@ -0,0 +1,25 @@
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --opt
(function() {
'use strict';
function baz() {
'use asm';
function f() {}
return {f: f};
}
function foo(x) {
baz(x);
%DeoptimizeFunction(foo);
}
foo();
foo();
%OptimizeFunctionOnNextCall(foo);
foo();
})();