[compiler] Fix a bug concerning PropertyAccessInfo

Don't create DataField and FastDataConstant access infos with a kNone field representation. Instead return Invalid. Bug: chromium:1239601 Change-Id: I4df7aa298974f9dcd650ead50aaa349c84feb487 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097463Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#76343}

[compiler] Fix a bug concerning PropertyAccessInfo
Don't create DataField and FastDataConstant access infos with a kNone field representation. Instead return Invalid. Bug: chromium:1239601 Change-Id: I4df7aa298974f9dcd650ead50aaa349c84feb487 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3097463Reviewed-by: Jakob Gruber <jgruber@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#76343}
78ffa512 · Georg Neis · V8 LUCI CQ · 14c3e2d6 · 78ffa512 · 78ffa512
Commit 78ffa512 authored Aug 17, 2021 by Georg Neis Committed by V8 LUCI CQ Aug 17, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 28 additions and 0 deletions

access-info.cc src/compiler/access-info.cc +4 -0

regress-1239601.js test/mjsunit/compiler/regress-1239601.js +24 -0

No files found.
--- a/src/compiler/access-info.cc
+++ b/src/compiler/access-info.cc
@@ -109,6 +109,7 @@ PropertyAccessInfo PropertyAccessInfo::DataField(
    FieldIndex field_index, Representation field_representation,
    Type field_type, MapRef field_owner_map, base::Optional<MapRef> field_map,
    base::Optional<JSObjectRef> holder, base::Optional<MapRef> transition_map) {
+  DCHECK(!field_representation.IsNone());
  DCHECK_IMPLIES(
      field_representation.IsDouble(),
      HasFieldRepresentationDependenciesOnMap(
@@ -129,6 +130,7 @@ PropertyAccessInfo PropertyAccessInfo::FastDataConstant(
    FieldIndex field_index, Representation field_representation,
    Type field_type, MapRef field_owner_map, base::Optional<MapRef> field_map,
    base::Optional<JSObjectRef> holder, base::Optional<MapRef> transition_map) {
+  DCHECK(!field_representation.IsNone());
  return PropertyAccessInfo(kFastDataConstant, holder, transition_map,
                            field_index, field_representation, field_type,
                            field_owner_map, field_map, {{receiver_map}, zone},
@@ -1132,6 +1134,8 @@ PropertyAccessInfo AccessInfoFactory::LookupTransition(

  int const index = details.field_index();
  Representation details_representation = details.representation();
+  if (details_representation.IsNone()) return Invalid();
+
  FieldIndex field_index = FieldIndex::ForPropertyIndex(
      *transition_map.object(), index, details_representation);
  Type field_type = Type::NonInternal();

--- a/test/mjsunit/compiler/regress-1239601.js
+++ b/test/mjsunit/compiler/regress-1239601.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  const a = {};
+  const b = [];
+  const unused = {__proto__: [], p1: a, p2: 0, p3: 0, p4: 0};
+
+  function inline(x) { x.gaga; }
+
+  inline(a);
+  inline(b);
+
+  b.p1 = 42;
+}
+
+
+%PrepareFunctionForOptimization(foo);
+for (var i = 0; i < 10; i++) foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();