[turbofan] Avoid relaxing node that has other effect use

It is related to Reduce consecutive overflow addition with constants. Turned out that we needs to consider also effect use before relaxing it. This fixed the issue that fuzzer found in e93a369. Bug: chromium:1137586 Change-Id: I32fee5ecc7a6ce40d6f739f9c6e2440a647a2222 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2469597 Commit-Queue: Z Nguyen-Huu <duongn@microsoft.com> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#70514}
couchbasedeps · Oct 14, 2020 · b22f5ac · b22f5ac
1 parent 04221a9
commit b22f5ac
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 6 deletions.
diff --git a/src/compiler/simplified-operator-reducer.cc b/src/compiler/simplified-operator-reducer.cc
@@ -234,16 +234,14 @@ Reduction SimplifiedOperatorReducer::Reduce(Node* node) {
             bool overflow = base::bits::SignedAddOverflow32(
                 n.right().Value(), m.right().Value(), &val);
             if (!overflow) {
-              bool has_no_other_value_uses = true;
+              bool has_no_other_uses = true;
               for (Edge edge : checked_int32_add->use_edges()) {
-                if (!edge.from()->IsDead() &&
-                    !NodeProperties::IsEffectEdge(edge) &&
-                    edge.from() != node) {
-                  has_no_other_value_uses = false;
+                if (!edge.from()->IsDead() && edge.from() != node) {
+                  has_no_other_uses = false;
                   break;
                 }
               }
-              if (has_no_other_value_uses) {
+              if (has_no_other_uses) {
                 node->ReplaceInput(0, n.left().node());
                 node->ReplaceInput(1, jsgraph()->Int32Constant(val));
                 RelaxEffectsAndControls(checked_int32_add);

diff --git a/test/mjsunit/regress/regress-crbug-1137586.js b/test/mjsunit/regress/regress-crbug-1137586.js
@@ -0,0 +1,16 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function f() {
+  for (var i = 0; i < 100000; i++) {
+    var a = arguments[0] + 2;
+    var b = arguments[1] + 2;
+    var c = a + i + 5;
+    var d = c + 3;
+  }
+}
+
+for (var j = 0; j < 3; j++) {
+  f(2, 3);
+}