[turbofan] handle DeadValue in JSCreateArguments lowering

JSCallReducer runs at the same time as DeadCodeElimination and hence can observe an incompletely propagated DeadValue in place of a StateValue node holding the arguments to materialize for JSCreateArguments. This CL fixes this by aborting the lowring of JSCreateArguments in this case. Bug: chromium:819311 v8:7536 Change-Id: I42c4a1923e3dbe470db1a16c5069aaa7c38659ac Reviewed-on: https://chromium-review.googlesource.com/955306Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#51808}

[turbofan] handle DeadValue in JSCreateArguments lowering
JSCallReducer runs at the same time as DeadCodeElimination and hence can observe an incompletely propagated DeadValue in place of a StateValue node holding the arguments to materialize for JSCreateArguments. This CL fixes this by aborting the lowring of JSCreateArguments in this case. Bug: chromium:819311 v8:7536 Change-Id: I42c4a1923e3dbe470db1a16c5069aaa7c38659ac Reviewed-on: https://chromium-review.googlesource.com/955306Reviewed-by: Jaroslav Sevcik <jarin@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#51808}
221173ea · Tobias Tebbi · Commit Bot · 35b4bde8 · 221173ea
Commit 221173ea authored Mar 08, 2018 by Tobias Tebbi Committed by Commit Bot Mar 08, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 0 deletions

js-create-lowering.cc src/compiler/js-create-lowering.cc +21 -0

No files found.
--- a/src/compiler/js-create-lowering.cc
+++ b/src/compiler/js-create-lowering.cc
@@ -352,6 +352,13 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
      // whether there conceptually is an arguments adaptor frame in the call
      // chain.
      Node* const args_state = GetArgumentsFrameState(frame_state);
+      if (args_state->InputAt(kFrameStateParametersInput)->opcode() ==
+          IrOpcode::kDeadValue) {
+        // This protects against an incompletely propagated DeadValue node.
+        // If the FrameState has a DeadValue input, then this node will be
+        // pruned anyway.
+        return NoChange();
+      }
      FrameStateInfo args_state_info = FrameStateInfoOf(args_state->op());
      // Prepare element backing store to be used by arguments object.
      bool has_aliased_arguments = false;
@@ -385,6 +392,13 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
      // whether there conceptually is an arguments adaptor frame in the call
      // chain.
      Node* const args_state = GetArgumentsFrameState(frame_state);
+      if (args_state->InputAt(kFrameStateParametersInput)->opcode() ==
+          IrOpcode::kDeadValue) {
+        // This protects against an incompletely propagated DeadValue node.
+        // If the FrameState has a DeadValue input, then this node will be
+        // pruned anyway.
+        return NoChange();
+      }
      FrameStateInfo args_state_info = FrameStateInfoOf(args_state->op());
      // Prepare element backing store to be used by arguments object.
      Node* const elements = AllocateArguments(effect, control, args_state);
@@ -414,6 +428,13 @@ Reduction JSCreateLowering::ReduceJSCreateArguments(Node* node) {
      // whether there conceptually is an arguments adaptor frame in the call
      // chain.
      Node* const args_state = GetArgumentsFrameState(frame_state);
+      if (args_state->InputAt(kFrameStateParametersInput)->opcode() ==
+          IrOpcode::kDeadValue) {
+        // This protects against an incompletely propagated DeadValue node.
+        // If the FrameState has a DeadValue input, then this node will be
+        // pruned anyway.
+        return NoChange();
+      }
      FrameStateInfo args_state_info = FrameStateInfoOf(args_state->op());
      // Prepare element backing store to be used by the rest array.
      Node* const elements =