Commit 6254e98d authored by Tobias Tebbi's avatar Tobias Tebbi Committed by Commit Bot

[turbofan] fix bug in CommonOperatorReducer::ReduceReturn

In this bug, we might replace a phi node with the Dead node even though
it still has uses. DeadCodeElimination picks this up and inserts a
runtime crash into the code.

Bug: chromium:974474
Change-Id: Iea685913c8666806972719bbfb0891e516207d4f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1669693
Commit-Queue: Tobias Tebbi <tebbi@chromium.org>
Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62352}
parent c07a2d61
......@@ -337,9 +337,9 @@ Reduction CommonOperatorReducer::ReduceReturn(Node* node) {
// End
// Now the effect input to the {Return} node can be either an {EffectPhi}
// hanging off the same {Merge}, or the {Merge} node is only connected to
// the {Return} and the {Phi}, in which case we know that the effect input
// must somehow dominate all merged branches.
// hanging off the same {Merge}, or the effect chain doesn't depend on the
// {Phi} or the {Merge}, in which case we know that the effect input must
// somehow dominate all merged branches.
Node::Inputs control_inputs = control->inputs();
Node::Inputs value_inputs = value->inputs();
......@@ -347,7 +347,7 @@ Reduction CommonOperatorReducer::ReduceReturn(Node* node) {
DCHECK_EQ(control_inputs.count(), value_inputs.count() - 1);
DCHECK_EQ(IrOpcode::kEnd, graph()->end()->opcode());
DCHECK_NE(0, graph()->end()->InputCount());
if (control->OwnedBy(node, value)) {
if (control->OwnedBy(node, value) && value->OwnedBy(node)) {
for (int i = 0; i < control_inputs.count(); ++i) {
// Create a new {Return} and connect it to {end}. We don't need to mark
// {end} as revisit, because we mark {node} as {Dead} below, which was
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(x) {
const y = x == 42;
() => {y};
if (y) { Object(); }
[!!y];
return y;
}
%PrepareFunctionForOptimization(foo);
foo(42); foo(42);
%OptimizeFunctionOnNextCall(foo);
foo(42);
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment