[maglev] Fix generalize representation in polymorphic loads

Bug: chromium:1411075, v8:7700 Change-Id: I5490fb665b2b46a4063c7465a9b2e223b2c8f99a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4200644 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Cr-Commit-Position: refs/heads/main@{#85539}
2023-01-30 11:30:46 +01:00 · 2023-01-30 11:30:46 +01:00 · 9ea6a67782
commit 9ea6a67782
parent 171587e66b
2 changed files with 20 additions and 2 deletions
--- a/src/maglev/maglev-graph-builder.cc
+++ b/src/maglev/maglev-graph-builder.cc
@ -2118,11 +2118,12 @@ bool MaglevGraphBuilder::TryBuildNamedAccess(
      switch (access_info.kind()) {
        case compiler::PropertyAccessInfo::kNotFound:
        case compiler::PropertyAccessInfo::kModuleExport:
-          field_repr.generalize(Representation::Tagged());
+          field_repr = field_repr.generalize(Representation::Tagged());
          break;
        case compiler::PropertyAccessInfo::kDataField:
        case compiler::PropertyAccessInfo::kFastDataConstant:
-          field_repr.generalize(access_info.field_representation());
+          field_repr =
+              field_repr.generalize(access_info.field_representation());
          break;
        default:
          // TODO(victorgomes): Support other access.
--- a/test/mjsunit/maglev/regress-1411075.js
+++ b/test/mjsunit/maglev/regress-1411075.js
@ -0,0 +1,17 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev
+
+function foo(__v_6, __v_7) {
+  return +__v_6.x;
+}
+
+%PrepareFunctionForOptimization(foo);
+foo({ x: 42 });
+foo(false);
+%OptimizeMaglevOnNextCall(foo);
+foo(false);
+
+assertEquals(NaN, foo(false));