AuroraMiddleware/v8
1
0
Fork 0
Code Issues 2 Pull Requests Releases Wiki Activity
8264058c28
v8/test/mjsunit/regress/regress-1230597.js
Leszek Swirski 18b6362551 [interpreter] Fix block resurrection by LoopHeader 
Loop headers in the interpreter would start a new basic block, which
among other things would reset the liveness of that block. This meant
that a loop created after dead code, without a check for whether the
code is currently dead or not, would "resurrect" that block's liveness,
making the inside of the loop live even though the loop itself is
unreachable.

This works fine, since the loop is still unreachable, but can breaks
DCHECKs in bytecode liveness analysis for cases where a register is
supposed to be initialised before the loop, in the dead code, and is
then used inside the loop, in the resurrected code.

Normally this wouldn't be a problem, since blocks are normally killed on
the statement level and we check for deadness during statement
iteration, but `foo() = x` introduces an expression-level block killer
(being re-written to `foo[throw ReferenceError] = x`) and we don't check
for deadness after assignment Lhs preparation.

This does mean that we have to fix the InterpreterJumps test, to not try
to jump into the middle of a loop (since this could revive the loop).
This can only happen when manually creating bytecode, bytecode generated
from JavaScript is always reducible.

Bug: chromium:1230597
Change-Id: I8403ccdeae7e5450adf629026e2ca8a134c81877
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3275557
Commit-Queue: Leszek Swirski <leszeks@chromium.org>
Reviewed-by: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#77846}
2021-11-11 13:59:32 +00:00

36 lines
1005 B
JavaScript
Raw Blame History

// Copyright 2021 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
//
// Flags: --allow-natives-syntax
function main() {
// This seems to just be some register setup for the benefit of the optimising
// compiler.
for(var i=0; i<2; i++) {
if(i==1) { }
with ({}) {
try {
var07().foo = 1;
} catch { }
}
}
// This is where the bug was.
try {
// The `var10() = ...` is rewritten to `var10[throw ReferenceError] = ...`,
// making the value of the assign dead. However, there is a loop inside the
// spread that used to accidentally resurrect that block.
//
// This broke checks in the optimizing compiler since the iterator setup was
// dead but the iterator use inside the spread's loop was live.
var10() = var08(1, ...foo, 2);
} catch { }
}
%PrepareFunctionForOptimization(main);
main();
%OptimizeFunctionOnNextCall(main);
main();
Reference in New Issue View Git Blame Copy Permalink