Commit 8c0b68e3 authored by Georg Neis's avatar Georg Neis Committed by Commit Bot

[turbofan] Fix CHECK failure in graph verifier

ForInNext can get lowered to a low-level call to the ForInFilter
builtin. We currently type low-level Call nodes simply as Any, leading
to a CHECK failure when the verifier expects a primitive.

This CL fixes the issue simply by manually setting the type as part of
the lowering. An alternative would be to have the Call typing inspect
its input similar to what the JSCall typing does. We can consider this
if we hit the same issue in other cases.

Bug: chromium:1102053
Change-Id: I6682d8cf95c6a3ebaff9c8de677aa20ca676573f
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2282523Reviewed-by: 's avatarNico Hartmann <nicohartmann@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68688}
parent 58f1119a
......@@ -1976,6 +1976,9 @@ Reduction JSTypedLowering::ReduceJSForInNext(Node* node) {
graph()->NewNode(common()->Call(call_descriptor),
jsgraph()->HeapConstant(callable.code()), key,
receiver, context, frame_state, effect, if_false);
NodeProperties::SetType(
vfalse,
Type::Union(Type::String(), Type::Undefined(), graph()->zone()));
// Update potential {IfException} uses of {node} to point to the above
// ForInFilter stub call node instead.
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --interrupt-budget=1024
const v10 =
{__proto__: [42], a: 1757695453, length: Promise, toString: 1337, d: []};
async function foo(a) {
a.length;
for (const k in v10) {
for (let i = 0; i < k; i++) {}
for (let i = 0; i < 10; i++) {
function bar() {}
while (a < 1) {
for (const kk of []) await 42;
}
}
}
}
for (let i = 0; i < 2; i++) {
foo([42]);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment