[turbofan] Add bounds check to Node::InputAt(index) and fix tests that go out of bounds.

BUG=

Review URL: https://codereview.chromium.org/1149563004

Cr-Commit-Position: refs/heads/master@{#28540}

src/compiler/arm64/instruction-selector-arm64.cc

@@ -1088,7 +1088,7 @@ void InstructionSelector::VisitTruncateFloat64ToFloat32(Node* node) {
 void InstructionSelector::VisitTruncateInt64ToInt32(Node* node) {
   Arm64OperandGenerator g(this);
   Node* value = node->InputAt(0);
-  if (CanCover(node, value)) {
+  if (CanCover(node, value) && value->InputCount() >= 2) {
     Int64BinopMatcher m(value);
     if ((m.IsWord64Sar() && m.right().HasValue() &&
          (m.right().Value() == 32)) ||

src/compiler/node.h

@@ -58,7 +58,15 @@ class Node final {
   NodeId id() const { return id_; }
 
   int InputCount() const { return input_count(); }
-  Node* InputAt(int index) const { return GetInputRecordPtr(index)->to; }
+  Node* InputAt(int index) const {
+#if DEBUG
+    if (index < 0 || index >= InputCount()) {
+      V8_Fatal(__FILE__, __LINE__, "Node #%d:%s->InputAt(%d) out of bounds",
+               id(), op()->mnemonic(), index);
+    }
+#endif
+    return GetInputRecordPtr(index)->to;
+  }
   inline void ReplaceInput(int index, Node* new_to);
   void AppendInput(Zone* zone, Node* new_to);
   void InsertInput(Zone* zone, int index, Node* new_to);

test/cctest/compiler/test-js-typed-lowering.cc

@@ -462,8 +462,9 @@ TEST(JSToNumber_replacement) {
 
   for (size_t i = 0; i < arraysize(types); i++) {
     Node* n = R.Parameter(types[i]);
-    Node* c = R.graph.NewNode(R.javascript.ToNumber(), n, R.context(),
-                              R.start(), R.start());
+    Node* c =
+        R.graph.NewNode(R.javascript.ToNumber(), n, R.context(),
+                        R.EmptyFrameState(R.context()), R.start(), R.start());
     Node* effect_use = R.UseForEffect(c);
     Node* add = R.graph.NewNode(R.simplified.ReferenceEqual(Type::Any()), n, c);
 

test/cctest/compiler/test-osr.cc

@@ -523,8 +523,8 @@ TEST(Deconstruct_osr_nested3) {
   // middle loop.
   Node* loop1 = T.graph.NewNode(T.common.Loop(2), loop0.if_true, T.self);
   loop1->ReplaceInput(0, loop0.if_true);
-  Node* loop1_phi =
-      T.graph.NewNode(T.common.Phi(kMachAnyTagged, 2), loop0_cntr, loop0_cntr);
+  Node* loop1_phi = T.graph.NewNode(T.common.Phi(kMachAnyTagged, 2), loop0_cntr,
+                                    loop0_cntr, loop1);
 
   // innermost (OSR) loop.
   While loop2(T, T.p0, true, 1);

test/cctest/compiler/test-simplified-lowering.cc

@@ -1443,8 +1443,8 @@ TEST(LowerLoadField_to_load) {
     FieldAccess access = {kTaggedBase, FixedArrayBase::kHeaderSize,
                           Handle<Name>::null(), Type::Any(), kMachineReps[i]};
 
-    Node* load =
-        t.graph()->NewNode(t.simplified()->LoadField(access), t.p0, t.start);
+    Node* load = t.graph()->NewNode(t.simplified()->LoadField(access), t.p0,
+                                    t.start, t.start);
     Node* use = t.Use(load, kMachineReps[i]);
     t.Return(use);
     t.Lower();
@@ -1624,8 +1624,8 @@ TEST(InsertChangeForLoadField) {
   FieldAccess access = {kTaggedBase, FixedArrayBase::kHeaderSize,
                         Handle<Name>::null(), Type::Any(), kMachFloat64};
 
-  Node* load =
-      t.graph()->NewNode(t.simplified()->LoadField(access), t.p0, t.start);
+  Node* load = t.graph()->NewNode(t.simplified()->LoadField(access), t.p0,
+                                  t.start, t.start);
   t.Return(load);
   t.Lower();
   CHECK_EQ(IrOpcode::kLoad, load->opcode());
@@ -1679,10 +1679,10 @@ TEST(UpdatePhi) {
     FieldAccess access = {kTaggedBase, FixedArrayBase::kHeaderSize,
                           Handle<Name>::null(), kTypes[i], kMachineTypes[i]};
 
-    Node* load0 =
-        t.graph()->NewNode(t.simplified()->LoadField(access), t.p0, t.start);
-    Node* load1 =
-        t.graph()->NewNode(t.simplified()->LoadField(access), t.p1, t.start);
+    Node* load0 = t.graph()->NewNode(t.simplified()->LoadField(access), t.p0,
+                                     t.start, t.start);
+    Node* load1 = t.graph()->NewNode(t.simplified()->LoadField(access), t.p1,
+                                     t.start, t.start);
     Node* phi = t.graph()->NewNode(t.common()->Phi(kMachAnyTagged, 2), load0,
                                    load1, t.start);
     t.Return(t.Use(phi, kMachineTypes[i]));

test/unittests/compiler/js-builtin-reducer-unittest.cc

@@ -77,10 +77,14 @@ Type* const kNumberTypes[] = {
 TEST_F(JSBuiltinReducerTest, MathMax0) {
   Node* function = MathFunction("max");
 
+  Node* effect = graph()->start();
+  Node* control = graph()->start();
+  Node* frame_state = graph()->start();
   TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
     Node* call = graph()->NewNode(
         javascript()->CallFunction(2, NO_CALL_FUNCTION_FLAGS, language_mode),
-        function, UndefinedConstant());
+        function, UndefinedConstant(), frame_state, frame_state, effect,
+        control);
     Reduction r = Reduce(call);
 
     ASSERT_TRUE(r.Changed());
@@ -92,12 +96,16 @@ TEST_F(JSBuiltinReducerTest, MathMax0) {
 TEST_F(JSBuiltinReducerTest, MathMax1) {
   Node* function = MathFunction("max");
 
+  Node* effect = graph()->start();
+  Node* control = graph()->start();
+  Node* frame_state = graph()->start();
   TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
     TRACED_FOREACH(Type*, t0, kNumberTypes) {
       Node* p0 = Parameter(t0, 0);
       Node* call = graph()->NewNode(
           javascript()->CallFunction(3, NO_CALL_FUNCTION_FLAGS, language_mode),
-          function, UndefinedConstant(), p0);
+          function, UndefinedConstant(), p0, frame_state, frame_state, effect,
+          control);
       Reduction r = Reduce(call);
 
       ASSERT_TRUE(r.Changed());
@@ -110,6 +118,9 @@ TEST_F(JSBuiltinReducerTest, MathMax1) {
 TEST_F(JSBuiltinReducerTest, MathMax2) {
   Node* function = MathFunction("max");
 
+  Node* effect = graph()->start();
+  Node* control = graph()->start();
+  Node* frame_state = graph()->start();
   TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
     TRACED_FOREACH(Type*, t0, kIntegral32Types) {
       TRACED_FOREACH(Type*, t1, kIntegral32Types) {
@@ -118,7 +129,8 @@ TEST_F(JSBuiltinReducerTest, MathMax2) {
         Node* call =
             graph()->NewNode(javascript()->CallFunction(
                                  4, NO_CALL_FUNCTION_FLAGS, language_mode),
-                             function, UndefinedConstant(), p0, p1);
+                             function, UndefinedConstant(), p0, p1, frame_state,
+                             frame_state, effect, control);
         Reduction r = Reduce(call);
 
         ASSERT_TRUE(r.Changed());
@@ -137,6 +149,9 @@ TEST_F(JSBuiltinReducerTest, MathMax2) {
 TEST_F(JSBuiltinReducerTest, MathImul) {
   Node* function = MathFunction("imul");
 
+  Node* effect = graph()->start();
+  Node* control = graph()->start();
+  Node* frame_state = graph()->start();
   TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
     TRACED_FOREACH(Type*, t0, kIntegral32Types) {
       TRACED_FOREACH(Type*, t1, kIntegral32Types) {
@@ -145,7 +160,8 @@ TEST_F(JSBuiltinReducerTest, MathImul) {
         Node* call =
             graph()->NewNode(javascript()->CallFunction(
                                  4, NO_CALL_FUNCTION_FLAGS, language_mode),
-                             function, UndefinedConstant(), p0, p1);
+                             function, UndefinedConstant(), p0, p1, frame_state,
+                             frame_state, effect, control);
         Reduction r = Reduce(call);
 
         ASSERT_TRUE(r.Changed());
@@ -163,12 +179,16 @@ TEST_F(JSBuiltinReducerTest, MathImul) {
 TEST_F(JSBuiltinReducerTest, MathFround) {
   Node* function = MathFunction("fround");
 
+  Node* effect = graph()->start();
+  Node* control = graph()->start();
+  Node* frame_state = graph()->start();
   TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
     TRACED_FOREACH(Type*, t0, kNumberTypes) {
       Node* p0 = Parameter(t0, 0);
       Node* call = graph()->NewNode(
           javascript()->CallFunction(3, NO_CALL_FUNCTION_FLAGS, language_mode),
-          function, UndefinedConstant(), p0);
+          function, UndefinedConstant(), p0, frame_state, frame_state, effect,
+          control);
       Reduction r = Reduce(call);
 
       ASSERT_TRUE(r.Changed());

test/unittests/compiler/js-typed-lowering-unittest.cc

@@ -459,10 +459,9 @@ TEST_F(JSTypedLoweringTest, JSShiftLeftWithSigned32AndConstant) {
   Node* const control = graph()->start();
   TRACED_FORRANGE(double, rhs, 0, 31) {
     TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
-      Reduction r =
-          Reduce(graph()->NewNode(javascript()->ShiftLeft(language_mode), lhs,
-                                  NumberConstant(rhs), context, effect,
-                                  control));
+      Reduction r = Reduce(graph()->NewNode(
+          javascript()->ShiftLeft(language_mode), lhs, NumberConstant(rhs),
+          context, EmptyFrameState(), EmptyFrameState(), effect, control));
       ASSERT_TRUE(r.Changed());
       EXPECT_THAT(r.replacement(),
                   IsWord32Shl(lhs, IsNumberConstant(BitEq(rhs))));
@@ -478,9 +477,9 @@ TEST_F(JSTypedLoweringTest, JSShiftLeftWithSigned32AndUnsigned32) {
   Node* const effect = graph()->start();
   Node* const control = graph()->start();
   TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
-    Reduction r =
-        Reduce(graph()->NewNode(javascript()->ShiftLeft(language_mode), lhs,
-                                rhs, context, effect, control));
+    Reduction r = Reduce(graph()->NewNode(
+        javascript()->ShiftLeft(language_mode), lhs, rhs, context,
+        EmptyFrameState(), EmptyFrameState(), effect, control));
     ASSERT_TRUE(r.Changed());
     EXPECT_THAT(r.replacement(),
                 IsWord32Shl(lhs, IsWord32And(rhs, IsInt32Constant(0x1f))));
@@ -499,10 +498,9 @@ TEST_F(JSTypedLoweringTest, JSShiftRightWithSigned32AndConstant) {
   Node* const control = graph()->start();
   TRACED_FORRANGE(double, rhs, 0, 31) {
     TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
-      Reduction r =
-          Reduce(graph()->NewNode(javascript()-> ShiftRight(language_mode), lhs,
-                                  NumberConstant(rhs), context, effect,
-                                  control));
+      Reduction r = Reduce(graph()->NewNode(
+          javascript()->ShiftRight(language_mode), lhs, NumberConstant(rhs),
+          context, EmptyFrameState(), EmptyFrameState(), effect, control));
       ASSERT_TRUE(r.Changed());
       EXPECT_THAT(r.replacement(),
                   IsWord32Sar(lhs, IsNumberConstant(BitEq(rhs))));
@@ -518,9 +516,9 @@ TEST_F(JSTypedLoweringTest, JSShiftRightWithSigned32AndUnsigned32) {
   Node* const effect = graph()->start();
   Node* const control = graph()->start();
   TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
-    Reduction r = Reduce(graph()->NewNode(javascript()->
-                                          ShiftRight(language_mode), lhs, rhs,
-                                          context, effect, control));
+    Reduction r = Reduce(graph()->NewNode(
+        javascript()->ShiftRight(language_mode), lhs, rhs, context,
+        EmptyFrameState(), EmptyFrameState(), effect, control));
     ASSERT_TRUE(r.Changed());
     EXPECT_THAT(r.replacement(),
                 IsWord32Sar(lhs, IsWord32And(rhs, IsInt32Constant(0x1f))));
@@ -540,11 +538,10 @@ TEST_F(JSTypedLoweringTest,
   Node* const control = graph()->start();
   TRACED_FORRANGE(double, rhs, 0, 31) {
     TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
-      Reduction r =
-          Reduce(graph()->NewNode(javascript()->
-                                  ShiftRightLogical(language_mode), lhs,
-                                  NumberConstant(rhs), context, effect,
-                                  control));
+      Reduction r = Reduce(
+          graph()->NewNode(javascript()->ShiftRightLogical(language_mode), lhs,
+                           NumberConstant(rhs), context, EmptyFrameState(),
+                           EmptyFrameState(), effect, control));
       ASSERT_TRUE(r.Changed());
       EXPECT_THAT(r.replacement(),
                   IsWord32Shr(lhs, IsNumberConstant(BitEq(rhs))));
@@ -561,9 +558,9 @@ TEST_F(JSTypedLoweringTest,
   Node* const effect = graph()->start();
   Node* const control = graph()->start();
   TRACED_FOREACH(LanguageMode, language_mode, kLanguageModes) {
-    Reduction r = Reduce(graph()->NewNode(javascript()->
-                                          ShiftRightLogical(language_mode), lhs,
-                                          rhs, context, effect, control));
+    Reduction r = Reduce(graph()->NewNode(
+        javascript()->ShiftRightLogical(language_mode), lhs, rhs, context,
+        EmptyFrameState(), EmptyFrameState(), effect, control));
     ASSERT_TRUE(r.Changed());
     EXPECT_THAT(r.replacement(),
                 IsWord32Shr(lhs, IsWord32And(rhs, IsInt32Constant(0x1f))));
@@ -887,9 +884,9 @@ TEST_F(JSTypedLoweringTest, JSLoadNamedGlobalConstants) {
 
   for (size_t i = 0; i < arraysize(names); i++) {
     Unique<Name> name = Unique<Name>::CreateImmovable(names[i]);
-    Reduction r =
-        Reduce(graph()->NewNode(javascript()->LoadNamed(name, feedback), global,
-                                context, EmptyFrameState(), effect, control));
+    Reduction r = Reduce(graph()->NewNode(
+        javascript()->LoadNamed(name, feedback), global, context,
+        EmptyFrameState(), EmptyFrameState(), effect, control));
 
     ASSERT_TRUE(r.Changed());
     EXPECT_THAT(r.replacement(), matches[i]);

test/unittests/compiler/scheduler-unittest.cc

@@ -657,8 +657,9 @@ TEST_F(SchedulerTest, BuildScheduleIfSplit) {
   Node* p3 = graph()->NewNode(common()->Parameter(2), graph()->start());
   Node* p4 = graph()->NewNode(common()->Parameter(3), graph()->start());
   Node* p5 = graph()->NewNode(common()->Parameter(4), graph()->start());
-  Node* cmp = graph()->NewNode(js()->LessThanOrEqual(LanguageMode::SLOPPY), p1,
-                               p2, p3, p4, graph()->start(), graph()->start());
+  Node* cmp =
+      graph()->NewNode(js()->LessThanOrEqual(LanguageMode::SLOPPY), p1, p2, p3,
+                       p4, p5, graph()->start(), graph()->start());
   Node* branch = graph()->NewNode(common()->Branch(), cmp, graph()->start());
   Node* true_branch = graph()->NewNode(common()->IfTrue(), branch);
   Node* false_branch = graph()->NewNode(common()->IfFalse(), branch);