diff --git a/src/compiler/js-inlining.cc b/src/compiler/js-inlining.cc index 4f1dc7c708fb..635daa4d7614 100644 --- a/src/compiler/js-inlining.cc +++ b/src/compiler/js-inlining.cc @@ -16,6 +16,7 @@ #include "src/compiler/node-matchers.h" #include "src/compiler/node-properties.h" #include "src/compiler/operator-properties.h" +#include "src/compiler/simplified-operator.h" #include "src/compiler/type-hint-analyzer.h" #include "src/isolate-inl.h" #include "src/parsing/parse-info.h" @@ -435,20 +436,15 @@ Reduction JSInliner::ReduceJSCall(Node* node, Handle function) { NodeProperties::ReplaceEffectInput(node, create); // Insert a check of the return value to determine whether the return // value or the implicit receiver should be selected as a result of the - // call. The check is wired into the successful control completion. - Node* success = graph()->NewNode(common()->IfSuccess(), node); - Node* check = graph()->NewNode( - javascript()->CallRuntime(Runtime::kInlineIsJSReceiver, 1), node, - context, node, success); + // call. + Node* check = graph()->NewNode(simplified()->ObjectIsReceiver(), node); Node* select = graph()->NewNode(common()->Select(MachineRepresentation::kTagged), check, node, create); - NodeProperties::ReplaceUses(node, select, check, check, node); + NodeProperties::ReplaceUses(node, select, node, node, node); // Fix-up inputs that have been mangled by the {ReplaceUses} call above. NodeProperties::ReplaceValueInput(select, node, 1); // Fix-up input. NodeProperties::ReplaceValueInput(check, node, 0); // Fix-up input. - NodeProperties::ReplaceEffectInput(check, node); // Fix-up input. - NodeProperties::ReplaceControlInput(success, node); // Fix-up input. receiver = create; // The implicit receiver. } @@ -527,6 +523,10 @@ JSOperatorBuilder* JSInliner::javascript() const { CommonOperatorBuilder* JSInliner::common() const { return jsgraph()->common(); } +SimplifiedOperatorBuilder* JSInliner::simplified() const { + return jsgraph()->simplified(); +} + } // namespace compiler } // namespace internal } // namespace v8 diff --git a/src/compiler/js-inlining.h b/src/compiler/js-inlining.h index bb4cb9dd631b..49487f5a0a76 100644 --- a/src/compiler/js-inlining.h +++ b/src/compiler/js-inlining.h @@ -38,6 +38,7 @@ class JSInliner final : public AdvancedReducer { private: CommonOperatorBuilder* common() const; JSOperatorBuilder* javascript() const; + SimplifiedOperatorBuilder* simplified() const; Graph* graph() const; JSGraph* jsgraph() const { return jsgraph_; } diff --git a/test/mjsunit/regress/regress-crbug-640369.js b/test/mjsunit/regress/regress-crbug-640369.js new file mode 100644 index 000000000000..97982d1224fc --- /dev/null +++ b/test/mjsunit/regress/regress-crbug-640369.js @@ -0,0 +1,15 @@ +// Copyright 2014 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function A() { + this.x = 0; + for (var i = 0; i < max; ) {} +} +function foo() { + for (var i = 0; i < 1; i = 2) %OptimizeOsr(); + return new A(); +} +try { foo(); } catch (e) { }