[turbofan] Properly check call arity for Object.is(o,o).

Bug: chromium:771971, v8:6882 Change-Id: Id1a602306bc89a5f96e180f70d6f713015d2dbb6 Reviewed-on: https://chromium-review.googlesource.com/702834 Reviewed-by: Michael Starzinger <mstarzinger@chromium.org> Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#48329}
2017-10-05 20:01:51 +02:00 · 2017-10-05 20:01:51 +02:00 · c77dfda0ac
commit c77dfda0ac
parent 4443683654
2 changed files with 13 additions and 1 deletions
--- a/src/compiler/js-builtin-reducer.cc
+++ b/src/compiler/js-builtin-reducer.cc
@ -2502,7 +2502,7 @@ Reduction JSBuiltinReducer::ReduceObjectIs(Node* node) {
  // SameValue simplified operator (and also a StrictEqual simplified
  // operator) and create unified handling in SimplifiedLowering.
  JSCallReduction r(node);
-  if (r.left() == r.right()) {
+  if (r.GetJSCallArity() == 2 && r.left() == r.right()) {
    // Object.is(x,x) => #true
    Node* value = jsgraph()->TrueConstant();
    return Replace(value);
--- a/test/mjsunit/regress/regress-crbug-771971.js
+++ b/test/mjsunit/regress/regress-crbug-771971.js
@ -0,0 +1,12 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function f() { Object.is(); }
+
+f();
+f();
+%OptimizeFunctionOnNextCall(f);
+f();