From 5ce282769772d94937eb2cb88eb419a6890c8b2d Mon Sep 17 00:00:00 2001 From: Michael Hablich Date: Thu, 25 Aug 2016 11:56:36 +0200 Subject: [PATCH] Version 5.4.500.1 (cherry-pick) Merged 6646d73b6f387e7ef6add056cc022b6dafe03d36 [turbofan] Use ObjectIsReceiver directly for inlining. BUG=chromium:640369 LOG=N R=mstarzinger@chromium.org TBR=mstarzinger@chromium.org Review URL: https://codereview.chromium.org/2272393002 . Cr-Commit-Position: refs/heads/5.4.500@{#2} Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841} --- include/v8-version.h | 2 +- src/compiler/js-inlining.cc | 16 ++++++++-------- src/compiler/js-inlining.h | 1 + test/mjsunit/regress/regress-crbug-640369.js | 15 +++++++++++++++ 4 files changed, 25 insertions(+), 9 deletions(-) create mode 100644 test/mjsunit/regress/regress-crbug-640369.js diff --git a/include/v8-version.h b/include/v8-version.h index 06fbf84cfe51..46d1c54635e2 100644 --- a/include/v8-version.h +++ b/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 5 #define V8_MINOR_VERSION 4 #define V8_BUILD_NUMBER 500 -#define V8_PATCH_LEVEL 0 +#define V8_PATCH_LEVEL 1 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/src/compiler/js-inlining.cc b/src/compiler/js-inlining.cc index 4f1dc7c708fb..635daa4d7614 100644 --- a/src/compiler/js-inlining.cc +++ b/src/compiler/js-inlining.cc @@ -16,6 +16,7 @@ #include "src/compiler/node-matchers.h" #include "src/compiler/node-properties.h" #include "src/compiler/operator-properties.h" +#include "src/compiler/simplified-operator.h" #include "src/compiler/type-hint-analyzer.h" #include "src/isolate-inl.h" #include "src/parsing/parse-info.h" @@ -435,20 +436,15 @@ Reduction JSInliner::ReduceJSCall(Node* node, Handle function) { NodeProperties::ReplaceEffectInput(node, create); // Insert a check of the return value to determine whether the return // value or the implicit receiver should be selected as a result of the - // call. The check is wired into the successful control completion. - Node* success = graph()->NewNode(common()->IfSuccess(), node); - Node* check = graph()->NewNode( - javascript()->CallRuntime(Runtime::kInlineIsJSReceiver, 1), node, - context, node, success); + // call. + Node* check = graph()->NewNode(simplified()->ObjectIsReceiver(), node); Node* select = graph()->NewNode(common()->Select(MachineRepresentation::kTagged), check, node, create); - NodeProperties::ReplaceUses(node, select, check, check, node); + NodeProperties::ReplaceUses(node, select, node, node, node); // Fix-up inputs that have been mangled by the {ReplaceUses} call above. NodeProperties::ReplaceValueInput(select, node, 1); // Fix-up input. NodeProperties::ReplaceValueInput(check, node, 0); // Fix-up input. - NodeProperties::ReplaceEffectInput(check, node); // Fix-up input. - NodeProperties::ReplaceControlInput(success, node); // Fix-up input. receiver = create; // The implicit receiver. } @@ -527,6 +523,10 @@ JSOperatorBuilder* JSInliner::javascript() const { CommonOperatorBuilder* JSInliner::common() const { return jsgraph()->common(); } +SimplifiedOperatorBuilder* JSInliner::simplified() const { + return jsgraph()->simplified(); +} + } // namespace compiler } // namespace internal } // namespace v8 diff --git a/src/compiler/js-inlining.h b/src/compiler/js-inlining.h index bb4cb9dd631b..49487f5a0a76 100644 --- a/src/compiler/js-inlining.h +++ b/src/compiler/js-inlining.h @@ -38,6 +38,7 @@ class JSInliner final : public AdvancedReducer { private: CommonOperatorBuilder* common() const; JSOperatorBuilder* javascript() const; + SimplifiedOperatorBuilder* simplified() const; Graph* graph() const; JSGraph* jsgraph() const { return jsgraph_; } diff --git a/test/mjsunit/regress/regress-crbug-640369.js b/test/mjsunit/regress/regress-crbug-640369.js new file mode 100644 index 000000000000..97982d1224fc --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-640369.js @@ -0,0 +1,15 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function A() { + this.x = 0; + for (var i = 0; i < max; ) {} +} +function foo() { + for (var i = 0; i < 1; i = 2) %OptimizeOsr(); + return new A(); +} +try { foo(); } catch (e) { }