[turbofan] Fix bug in JSStoreInArrayLiteral

It was missing a control output. Bug: chromium:946889 Change-Id: I85f203fc6e27a60f0b86e0e2999dd798a5416dfc Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547655 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#60549}

[turbofan] Fix bug in JSStoreInArrayLiteral
It was missing a control output. Bug: chromium:946889 Change-Id: I85f203fc6e27a60f0b86e0e2999dd798a5416dfc Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1547655 Commit-Queue: Georg Neis <neis@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Cr-Commit-Position: refs/heads/master@{#60549}
8d6da708 · Georg Neis · Commit Bot · 6ac65cfb · 8d6da708 · 8d6da708
Commit 8d6da708 authored Apr 01, 2019 by Georg Neis Committed by Commit Bot Apr 01, 2019
5 changed files
--- a/src/compiler/js-generic-lowering.cc
+++ b/src/compiler/js-generic-lowering.cc
@@ -31,7 +31,8 @@ CallDescriptor::Flags FrameStateFlagForCall(Node* node) {

 }  // namespace

-JSGenericLowering::JSGenericLowering(JSGraph* jsgraph) : jsgraph_(jsgraph) {}
+JSGenericLowering::JSGenericLowering(JSGraph* jsgraph, Editor* editor)
+    : AdvancedReducer(editor), jsgraph_(jsgraph) {}

 JSGenericLowering::~JSGenericLowering() = default;

@@ -308,6 +309,7 @@ void JSGenericLowering::LowerJSStoreInArrayLiteral(Node* node) {
      Builtins::CallableFor(isolate(), Builtins::kStoreInArrayLiteralIC);
  CallDescriptor::Flags flags = FrameStateFlagForCall(node);
  FeedbackParameter const& p = FeedbackParameterOf(node->op());
+  RelaxControls(node);
  node->InsertInput(zone(), 3, jsgraph()->SmiConstant(p.feedback().index()));
  node->InsertInput(zone(), 4, jsgraph()->HeapConstant(p.feedback().vector()));
  ReplaceWithStubCall(node, callable, flags);

--- a/src/compiler/js-generic-lowering.h
+++ b/src/compiler/js-generic-lowering.h
@@ -21,9 +21,9 @@ class Linkage;


 // Lowers JS-level operators to runtime and IC calls in the "generic" case.
-class JSGenericLowering final : public Reducer {
+class JSGenericLowering final : public AdvancedReducer {
 public:
-  explicit JSGenericLowering(JSGraph* jsgraph);
+  JSGenericLowering(JSGraph* jsgraph, Editor* editor);
  ~JSGenericLowering() final;

  const char* reducer_name() const override { return "JSGenericLowering"; }

--- a/src/compiler/js-operator.cc
+++ b/src/compiler/js-operator.cc
@@ -825,7 +825,7 @@ const Operator* JSOperatorBuilder::StoreInArrayLiteral(
      IrOpcode::kJSStoreInArrayLiteral,
      Operator::kNoThrow,       // opcode
      "JSStoreInArrayLiteral",  // name
-      3, 1, 1, 0, 1, 0,         // counts
+      3, 1, 1, 0, 1, 1,         // counts
      parameters);              // parameter
 }


--- a/src/compiler/pipeline.cc
+++ b/src/compiler/pipeline.cc
@@ -1349,7 +1349,7 @@ struct GenericLoweringPhase {
  void Run(PipelineData* data, Zone* temp_zone) {
    GraphReducer graph_reducer(temp_zone, data->graph(),
                               data->jsgraph()->Dead());
-    JSGenericLowering generic_lowering(data->jsgraph());
+    JSGenericLowering generic_lowering(data->jsgraph(), &graph_reducer);
    AddReducer(data, &graph_reducer, &generic_lowering);
    graph_reducer.ReduceGraph();
  }

--- a/test/mjsunit/compiler/regress-946889.js
+++ b/test/mjsunit/compiler/regress-946889.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+Object.preventExtensions(Array.prototype);
+
+function foo() {
+  var arr = [];
+  [...arr, 42, null];
+  arr.length = 1;
+}
+
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();