[turbofan] Properly thread through the feedback for HeapObject checks.

We somehow forgot to thread through the VectorSlotPair for the CALL_IC
based speculation feedback to CheckedTaggedToTaggedPointer. This was
showing for example with `String#concat()` where we ended up with an
endless deoptimization loop if the parameter was a Smi.

Bug: v8:8913
Change-Id: I84d90403f6fada9b435d4eb71c689edc3c34dc86
Reviewed-on: https://chromium-review.googlesource.com/c/1488770
Commit-Queue: Benedikt Meurer <bmeurer@chromium.org>
Reviewed-by: Mathias Bynens <mathias@chromium.org>
Reviewed-by: Sigurd Schneider <sigurds@chromium.org>
Cr-Commit-Position: refs/heads/master@{#59871}

src/compiler/representation-change.h

@@ -188,9 +188,10 @@ class UseInfo {
   }
 
   // Possibly deoptimizing conversions.
-  static UseInfo CheckedHeapObjectAsTaggedPointer() {
+  static UseInfo CheckedHeapObjectAsTaggedPointer(
+      const VectorSlotPair& feedback) {
     return UseInfo(MachineRepresentation::kTaggedPointer, Truncation::Any(),
-                   TypeCheckKind::kHeapObject);
+                   TypeCheckKind::kHeapObject, feedback);
   }
   static UseInfo CheckedSignedSmallAsTaggedSigned(
       const VectorSlotPair& feedback,

src/compiler/simplified-lowering.cc

@@ -1041,7 +1041,8 @@ class RepresentationSelector {
                 MachineRepresentation::kTaggedPointer);
       if (lower()) DeferReplacement(node, node->InputAt(0));
     } else {
-      VisitUnop(node, UseInfo::CheckedHeapObjectAsTaggedPointer(),
+      VisitUnop(node,
+                UseInfo::CheckedHeapObjectAsTaggedPointer(VectorSlotPair()),
                 MachineRepresentation::kTaggedPointer);
     }
   }
@@ -2666,7 +2667,8 @@ class RepresentationSelector {
           VisitUnop(node, UseInfo::AnyTagged(),
                     MachineRepresentation::kTaggedPointer);
         } else {
-          VisitUnop(node, UseInfo::CheckedHeapObjectAsTaggedPointer(),
+          VisitUnop(node,
+                    UseInfo::CheckedHeapObjectAsTaggedPointer(VectorSlotPair()),
                     MachineRepresentation::kTaggedPointer);
         }
         if (lower()) DeferReplacement(node, node->InputAt(0));
@@ -2716,7 +2718,17 @@ class RepresentationSelector {
         return;
       }
       case IrOpcode::kCheckString: {
-        VisitCheck(node, Type::String(), lowering);
+        const CheckParameters& params = CheckParametersOf(node->op());
+        if (InputIs(node, Type::String())) {
+          VisitUnop(node, UseInfo::AnyTagged(),
+                    MachineRepresentation::kTaggedPointer);
+          if (lower()) DeferReplacement(node, node->InputAt(0));
+        } else {
+          VisitUnop(
+              node,
+              UseInfo::CheckedHeapObjectAsTaggedPointer(params.feedback()),
+              MachineRepresentation::kTaggedPointer);
+        }
         return;
       }
       case IrOpcode::kCheckSymbol: {

test/mjsunit/mjsunit.status

@@ -519,6 +519,7 @@
   'regress/regress-7254': [SKIP],
   'regress/regress-7510': [SKIP],
   'regress/regress-794825': [SKIP],
+  'regress/regress-8913': [SKIP],
   'regress/regress-crbug-554831': [SKIP],
   'regress/regress-crbug-587068': [SKIP],
   'regress/regress-crbug-594183': [SKIP],

test/mjsunit/regress/regress-8913.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --opt
+
+function foo(t) { return 'a'.concat(t); }
+
+foo(1);
+foo(1);
+%OptimizeFunctionOnNextCall(foo);
+foo(1);
+%OptimizeFunctionOnNextCall(foo);
+foo(1);
+assertOptimized(foo);