[compiler] Fix two invalid ref uses

Invalid ref construction (should assume a memory fence), and invalid unconditional use of an optional ref. Bug: v8:7790,chromium:1236303,chromium:1236307 Change-Id: Id0a12222d3d29a0728290ad5269da0946647a5ca Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3070698 Commit-Queue: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#76074}
2021-08-04 09:43:31 +02:00 · 2021-08-04 09:43:31 +02:00 · e33384147c
commit e33384147c
parent 01898366cf
4 changed files with 31 additions and 6 deletions
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@ -4220,9 +4220,10 @@ Reduction JSCallReducer::ReduceCallOrConstructWithArrayLikeOrSpread(
  if (feedback.IsInsufficient()) return NoChange();

  AllocationSiteRef site = feedback.AsLiteral().value();
-  base::Optional<JSArrayRef> boilerplate_array =
-      site.boilerplate()->AsJSArray();
-  int const array_length = boilerplate_array->GetBoilerplateLength().AsSmi();
+  if (!site.boilerplate().has_value()) return NoChange();
+
+  JSArrayRef boilerplate_array = site.boilerplate()->AsJSArray();
+  int const array_length = boilerplate_array.GetBoilerplateLength().AsSmi();

  // We'll replace the arguments_list input with {array_length} element loads.
  new_argument_count = argument_count - 1 + array_length;
@ -4235,7 +4236,7 @@ Reduction JSCallReducer::ReduceCallOrConstructWithArrayLikeOrSpread(
  }

  // Determine the array's map.
-  MapRef array_map = boilerplate_array->map();
+  MapRef array_map = boilerplate_array.map();
  if (!array_map.supports_fast_array_iteration()) {
    return NoChange();
  }
--- a/src/compiler/js-heap-broker.cc
+++ b/src/compiler/js-heap-broker.cc
@ -691,7 +691,7 @@ ProcessedFeedback const& JSHeapBroker::ReadFeedbackForInstanceOf(
    MaybeHandle<JSObject> maybe_constructor = nexus.GetConstructorFeedback();
    Handle<JSObject> constructor;
    if (maybe_constructor.ToHandle(&constructor)) {
-      optional_constructor = MakeRef(this, *constructor);
+      optional_constructor = MakeRefAssumeMemoryFence(this, *constructor);
    }
  }
  return *zone()->New<InstanceOfFeedback>(optional_constructor, nexus.kind());
@ -941,7 +941,7 @@ base::Optional<NameRef> JSHeapBroker::GetNameFeedback(
    FeedbackNexus const& nexus) {
  Name raw_name = nexus.GetName();
  if (raw_name.is_null()) return base::nullopt;
-  return MakeRef(this, raw_name);
+  return MakeRefAssumeMemoryFence(this, raw_name);
 }

 PropertyAccessInfo JSHeapBroker::GetPropertyAccessInfo(
--- a/test/mjsunit/regress/regress-1236303.js
+++ b/test/mjsunit/regress/regress-1236303.js
@ -0,0 +1,13 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var __v_16 = {};
+__f_27();
+function __f_27() {
+  var __v_15 = Symbol();
+  __v_16[__v_15] = "abc";
+  for (var __v_1 = 0; __v_1 < 100000; __v_1++) {
+  }
+}
+__f_27();
--- a/test/mjsunit/regress/regress-1236307.js
+++ b/test/mjsunit/regress/regress-1236307.js
@ -0,0 +1,11 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function __f_2(__v_6) {
+  try {
+    if (__v_6 > 0) return __f_2(...[__v_6 - 1]);
+  } catch (e) {}
+}
+__f_2(100000);
+__f_2(100000);