Skip to content
Permalink
Browse files

[turbofan] handle DeadValue in JSCreateArguments lowering

JSCallReducer runs at the same time as DeadCodeElimination and hence can observe an incompletely propagated DeadValue in place of a StateValue node holding the arguments to materialize for JSCreateArguments.
This CL fixes this by aborting the lowring of JSCreateArguments in this case.

Bug: chromium:819311 v8:7536
Change-Id: I42c4a1923e3dbe470db1a16c5069aaa7c38659ac
Reviewed-on: https://chromium-review.googlesource.com/955306
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#51808}
  • Loading branch information...
tebbi authored and Commit Bot committed Mar 8, 2018
1 parent 35b4bde commit 221173eaa222a23041f00f02ad9da812d1027e49
Showing with 21 additions and 0 deletions.
  1. +21 −0 src/compiler/js-create-lowering.cc
@@ -352,6 +352,13 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
// whether there conceptually is an arguments adaptor frame in the call
// chain.
Node* const args_state = GetArgumentsFrameState(frame_state);
if (args_state->InputAt(kFrameStateParametersInput)->opcode() ==
IrOpcode::kDeadValue) {
// This protects against an incompletely propagated DeadValue node.
// If the FrameState has a DeadValue input, then this node will be
// pruned anyway.
return NoChange();
}
FrameStateInfo args_state_info = FrameStateInfoOf(args_state->op());
// Prepare element backing store to be used by arguments object.
bool has_aliased_arguments = false;
@@ -385,6 +392,13 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
// whether there conceptually is an arguments adaptor frame in the call
// chain.
Node* const args_state = GetArgumentsFrameState(frame_state);
if (args_state->InputAt(kFrameStateParametersInput)->opcode() ==
IrOpcode::kDeadValue) {
// This protects against an incompletely propagated DeadValue node.
// If the FrameState has a DeadValue input, then this node will be
// pruned anyway.
return NoChange();
}
FrameStateInfo args_state_info = FrameStateInfoOf(args_state->op());
// Prepare element backing store to be used by arguments object.
Node* const elements = AllocateArguments(effect, control, args_state);
@@ -414,6 +428,13 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
// whether there conceptually is an arguments adaptor frame in the call
// chain.
Node* const args_state = GetArgumentsFrameState(frame_state);
if (args_state->InputAt(kFrameStateParametersInput)->opcode() ==
IrOpcode::kDeadValue) {
// This protects against an incompletely propagated DeadValue node.
// If the FrameState has a DeadValue input, then this node will be
// pruned anyway.
return NoChange();
}
FrameStateInfo args_state_info = FrameStateInfoOf(args_state->op());
// Prepare element backing store to be used by the rest array.
Node* const elements =

0 comments on commit 221173e

Please sign in to comment.
You can’t perform that action at this time.