[ignition] BytecodeGraphBuilder: Merge correct environment in try block

Making new nodes inside of exception-handled blocks fiddles around with the current environment to merge the exception paths. In particular, the current environment pointer is mutated. This patch ensures that when we merge the fast and slow paths of the LdaContextLookup, we actually merge the correct environment and do not accidentally merge the exceptional environment. BUG=chromium:651394 Review-Url: https://codereview.chromium.org/2379043002 Cr-Commit-Position: refs/heads/master@{#39878}

[ignition] BytecodeGraphBuilder: Merge correct environment in try block
Making new nodes inside of exception-handled blocks fiddles around with the current environment to merge the exception paths. In particular, the current environment pointer is mutated. This patch ensures that when we merge the fast and slow paths of the LdaContextLookup, we actually merge the correct environment and do not accidentally merge the exceptional environment. BUG=chromium:651394 Review-Url: https://codereview.chromium.org/2379043002 Cr-Commit-Position: refs/heads/master@{#39878}
537c8558 · leszeks · Commit bot · 497af7fc · 537c8558 · 537c8558
Commit 537c8558 authored Sep 29, 2016 by leszeks Committed by Commit bot Sep 29, 2016
3 changed files
--- a/src/compiler/bytecode-graph-builder.cc
+++ b/src/compiler/bytecode-graph-builder.cc
@@ -906,18 +906,16 @@ void BytecodeGraphBuilder::BuildLdaLookupContextSlot(TypeofMode typeof_mode) {
                extension_slot, jsgraph()->TheHoleConstant());

    NewBranch(check_no_extension);
-    Environment* false_environment = environment();
    Environment* true_environment = environment()->CopyForConditional();

    {
-      set_environment(false_environment);
      NewIfFalse();
      // If there is an extension, merge into the slow path.
      if (slow_environment == nullptr) {
-        slow_environment = false_environment;
+        slow_environment = environment();
        NewMerge();
      } else {
-        slow_environment->Merge(false_environment);
+        slow_environment->Merge(environment());
      }
    }

@@ -956,7 +954,7 @@ void BytecodeGraphBuilder::BuildLdaLookupContextSlot(TypeofMode typeof_mode) {
    environment()->BindAccumulator(value, &states);
  }

-  fast_environment->Merge(slow_environment);
+  fast_environment->Merge(environment());
  set_environment(fast_environment);
 }


--- a/test/mjsunit/regress/regress-crbug-651403-global.js
+++ b/test/mjsunit/regress/regress-crbug-651403-global.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --ignition-staging --turbo --always-opt
+
+x = "";
+
+function f () {
+  function g() {
+    try {
+      eval('');
+      return x;
+    } catch(e) {
+    }
+  }
+  return g();
+}
+
+f();
--- a/test/mjsunit/regress/regress-crbug-651403.js
+++ b/test/mjsunit/regress/regress-crbug-651403.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --ignition-staging --turbo --always-opt
+
+function f () {
+  var x = "";
+  function g() {
+    try {
+      eval('');
+      return x;
+    } catch(e) {
+    }
+  }
+  return g();
+}
+
+f();