[turbofan] Add missing map checks in a reducer

ReduceArrayIndexOfIncludes didn't account for kUnreliableReceiverMaps. Will think about a more robust mechanism for this. Bug: chromium:944062 Change-Id: Ib2bdaf4399225de4413e12c5684f58dfe524a2cd Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1532331 Commit-Queue: Jaroslav Sevcik <jarin@chromium.org> Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Cr-Commit-Position: refs/heads/master@{#60400}
2019-03-21 10:55:18 +01:00 · 2019-03-21 10:55:18 +01:00 · e80082bf54
commit e80082bf54
parent aca2c9e606
3 changed files with 50 additions and 0 deletions
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@ -2564,6 +2564,14 @@ Reduction JSCallReducer::ReduceArrayIndexOfIncludes(
    if (!dependencies()->DependOnNoElementsProtector()) UNREACHABLE();
  }

+  // If we have unreliable maps, we need a map check.
+  if (result == NodeProperties::kUnreliableReceiverMaps) {
+    effect =
+        graph()->NewNode(simplified()->CheckMaps(CheckMapsFlag::kNone,
+                                                 receiver_maps, p.feedback()),
+                         receiver, effect, control);
+  }
+
  Callable const callable = search_variant == SearchVariant::kIndexOf
                                ? GetCallableForArrayIndexOf(kind, isolate())
                                : GetCallableForArrayIncludes(kind, isolate());
--- a/test/mjsunit/compiler/regress-944062-1.js
+++ b/test/mjsunit/compiler/regress-944062-1.js
@ -0,0 +1,25 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+const array = [42, 2.1];  // non-stable map (PACKED_DOUBLE)
+let b = false;
+
+function f() {
+  if (b) array[100000] = 4.2;  // go to dictionary mode
+  return 42
+};
+%NeverOptimizeFunction(f);
+
+function includes() {
+  return array.includes(f());
+}
+
+assertTrue(includes());
+assertTrue(includes());
+%OptimizeFunctionOnNextCall(includes);
+assertTrue(includes());
+b = true;
+assertTrue(includes());
--- a/test/mjsunit/compiler/regress-944062-2.js
+++ b/test/mjsunit/compiler/regress-944062-2.js
@ -0,0 +1,17 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function includes(key, array) {
+  // Transition to dictionary mode in the final invocation.
+  array.__defineSetter__(key, () => {});
+  // Will then read OOB.
+  return array.includes(1234);
+}
+includes("", []);
+includes("", []);
+%OptimizeFunctionOnNextCall(includes);
+includes("", []);
+includes("1235", []);