[turbofan] Fix deoptimization framestate in A.p.reduce[Right]

Array.prototype.reduce[Right] used a lazy deoptimization frame state for an eager deopt point. Bug: v8:7336, chromium:804096 Change-Id: I720f9e049bd6b396e025fa59192fdbc6b4f18647 Reviewed-on: https://chromium-review.googlesource.com/878120 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Daniel Clifford <danno@chromium.org> Cr-Commit-Position: refs/heads/master@{#50752}

[turbofan] Fix deoptimization framestate in A.p.reduce[Right]
Array.prototype.reduce[Right] used a lazy deoptimization frame state for an eager deopt point. Bug: v8:7336, chromium:804096 Change-Id: I720f9e049bd6b396e025fa59192fdbc6b4f18647 Reviewed-on: https://chromium-review.googlesource.com/878120 Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Reviewed-by: Daniel Clifford <danno@chromium.org> Cr-Commit-Position: refs/heads/master@{#50752}
9e47513a · Sigurd Schneider · Commit Bot · afb42cb3 · 9e47513a · 9e47513a
Commit 9e47513a authored Jan 22, 2018 by Sigurd Schneider Committed by Commit Bot Jan 22, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 33 additions and 9 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +19 -8

deoptimize-reason.h src/deoptimize-reason.h +2 -1

regress-804096.js test/mjsunit/regress/regress-804096.js +12 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -1070,15 +1070,19 @@ Reduction JSCallReducer::ReduceArrayReduce(Handle<JSFunction> function,
                                        jsgraph()->UndefinedConstant()});
  const int stack_parameters = static_cast<int>(checkpoint_params.size());
-  Builtins::Name builtin =
+  Builtins::Name builtin_lazy =
      left ? Builtins::kArrayReduceLoopLazyDeoptContinuation
           : Builtins::kArrayReduceRightLoopLazyDeoptContinuation;
+  Builtins::Name builtin_eager =
+      left ? Builtins::kArrayReduceLoopEagerDeoptContinuation
+           : Builtins::kArrayReduceRightLoopEagerDeoptContinuation;
  // Check whether the given callback function is callable. Note that
  // this has to happen outside the loop to make sure we also throw on
  // empty arrays.
  Node* check_frame_state = CreateJavaScriptBuiltinContinuationFrameState(
-      jsgraph(), function, builtin, node->InputAt(0), context,
+      jsgraph(), function, builtin_lazy, node->InputAt(0), context,
      &checkpoint_params[0], stack_parameters - 1, outer_frame_state,
      ContinuationFrameStateMode::LAZY);
  Node* check_fail = nullptr;
@@ -1089,6 +1093,12 @@ Reduction JSCallReducer::ReduceArrayReduce(Handle<JSFunction> function,
  // Set initial accumulator value
  Node* cur = jsgraph()->TheHoleConstant();
+  Node* initial_element_frame_state =
+      CreateJavaScriptBuiltinContinuationFrameState(
+          jsgraph(), function, builtin_eager, node->InputAt(0), context,
+          &checkpoint_params[0], stack_parameters, outer_frame_state,
+          ContinuationFrameStateMode::EAGER);
  if (node->op()->ValueInputCount() > 3) {
    cur = NodeProperties::GetValueInput(node, 3);
  } else {
@@ -1097,15 +1107,16 @@ Reduction JSCallReducer::ReduceArrayReduce(Handle<JSFunction> function,
    Node* next_k = graph()->NewNode(next_op, k, jsgraph()->OneConstant());
    Node* loop = control;
    Node* eloop = effect;
-    effect = graph()->NewNode(common()->Checkpoint(), check_frame_state, effect,
+    effect = graph()->NewNode(common()->Checkpoint(),
-                              control);
+                              initial_element_frame_state, effect, control);
    Node* continue_test =
        left ? graph()->NewNode(simplified()->NumberLessThan(), k,
                                original_length)
             : graph()->NewNode(simplified()->NumberLessThanOrEqual(),
                                jsgraph()->ZeroConstant(), k);
-    effect = graph()->NewNode(simplified()->CheckIf(DeoptimizeReason::kUnknown),
+    effect = graph()->NewNode(
-                              continue_test, effect, control);
+        simplified()->CheckIf(DeoptimizeReason::kNoInitialElement),
+        continue_test, effect, control);
    cur = SafeLoadElement(kind, receiver, control, &effect, &k, p.feedback());
@@ -1151,7 +1162,7 @@ Reduction JSCallReducer::ReduceArrayReduce(Handle<JSFunction> function,
  control = if_true;
  Node* frame_state = CreateJavaScriptBuiltinContinuationFrameState(
-      jsgraph(), function, builtin, node->InputAt(0), context,
+      jsgraph(), function, builtin_eager, node->InputAt(0), context,
      &checkpoint_params[0], stack_parameters, outer_frame_state,
      ContinuationFrameStateMode::EAGER);
@@ -1192,7 +1203,7 @@ Reduction JSCallReducer::ReduceArrayReduce(Handle<JSFunction> function,
  }
  frame_state = CreateJavaScriptBuiltinContinuationFrameState(
-      jsgraph(), function, builtin, node->InputAt(0), context,
+      jsgraph(), function, builtin_lazy, node->InputAt(0), context,
      &checkpoint_params[0], stack_parameters - 1, outer_frame_state,
      ContinuationFrameStateMode::LAZY);

--- a/src/deoptimize-reason.h
+++ b/src/deoptimize-reason.h
@@ -53,7 +53,8 @@ namespace internal {
  V(WrongInstanceType, "wrong instance type")                                  \
  V(WrongMap, "wrong map")                                                     \
  V(WrongName, "wrong name")                                                   \
-  V(WrongValue, "wrong value")
+  V(WrongValue, "wrong value")                                                 \
+  V(NoInitialElement, "no initial element")
 enum class DeoptimizeReason : uint8_t {
 #define DEOPTIMIZE_REASON(Name, message) k##Name,

--- a/test/mjsunit/regress/regress-804096.js
+++ b/test/mjsunit/regress/regress-804096.js
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --opt
+for (let i = 0; i < 5000; i++) {
+  try {
+    [].reduce(function() {});
+  } catch (x) {
+  }
+}