[turbofan] Teach escape analysis about ConvertTaggedHoleToUndefined.

The EscapeStatusAnalysis didn't know anything about the simplified operator ConvertTaggedHoleToUndefined, thus leading to a crash. We now just handled it by pretending that any allocation that goes into such a node escapes. BUG=chromium:669451 R=tebbi@chromium.org Review-Url: https://codereview.chromium.org/2533263002 Cr-Commit-Position: refs/heads/master@{#41359}
2016-11-29 05:13:27 -08:00 · 2016-11-29 05:13:27 -08:00 · d6752d94a8
commit d6752d94a8
parent d045f41c5c
2 changed files with 16 additions and 0 deletions
--- a/src/compiler/escape-analysis.cc
+++ b/src/compiler/escape-analysis.cc
@ -796,6 +796,7 @@ bool EscapeStatusAnalysis::CheckUsesForEscape(Node* uses, Node* rep,
      case IrOpcode::kSelect:
      // TODO(mstarzinger): The following list of operators will eventually be
      // handled by the EscapeAnalysisReducer (similar to ObjectIsSmi).
+      case IrOpcode::kConvertTaggedHoleToUndefined:
      case IrOpcode::kStringEqual:
      case IrOpcode::kStringLessThan:
      case IrOpcode::kStringLessThanOrEqual:
--- a/test/mjsunit/regress/regress-crbug-669451.js
+++ b/test/mjsunit/regress/regress-crbug-669451.js
@ -0,0 +1,15 @@
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  var a = [,];
+  a[0] = {}
+  a[0].toString = FAIL;
+}
+try { foo(); } catch (e) {}
+try { foo(); } catch (e) {}
+%OptimizeFunctionOnNextCall(foo);
+try { foo(); } catch (e) {}