[turbofan] Fix JSInliner to handle non-returning bodies.

The assumption that every function body produces a value does not hold for functions that e.g. unconditionally throw or endlessly loop. This fixes the inlining logic to handle such cases. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-530598 BUG=chromium:530598 LOG=n Review URL: https://codereview.chromium.org/1333193005 Cr-Commit-Position: refs/heads/master@{#30738}

[turbofan] Fix JSInliner to handle non-returning bodies.
The assumption that every function body produces a value does not hold for functions that e.g. unconditionally throw or endlessly loop. This fixes the inlining logic to handle such cases. R=bmeurer@chromium.org TEST=mjsunit/regress/regress-crbug-530598 BUG=chromium:530598 LOG=n Review URL: https://codereview.chromium.org/1333193005 Cr-Commit-Position: refs/heads/master@{#30738}
9e47ec6e · mstarzinger · Commit bot · 1e00bb57 · 9e47ec6e · 9e47ec6e
Commit 9e47ec6e authored Sep 15, 2015 by mstarzinger Committed by Commit bot Sep 15, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 16 deletions

js-inlining.cc src/compiler/js-inlining.cc +21 -16

regress-crbug-530598.js test/mjsunit/regress/regress-crbug-530598.js +25 -0

No files found.
--- a/src/compiler/js-inlining.cc
+++ b/src/compiler/js-inlining.cc
@@ -189,24 +189,29 @@ Reduction JSInliner::InlineCall(Node* call, Node* context, Node* frame_state,
        break;
    }
  }
-  DCHECK_NE(0u, values.size());
  DCHECK_EQ(values.size(), effects.size());
  DCHECK_EQ(values.size(), controls.size());
-  int const input_count = static_cast<int>(controls.size());
-  Node* control_output = jsgraph_->graph()->NewNode(
-      jsgraph_->common()->Merge(input_count), input_count, &controls.front());
-  values.push_back(control_output);
-  effects.push_back(control_output);
-  Node* value_output = jsgraph_->graph()->NewNode(
-      jsgraph_->common()->Phi(kMachAnyTagged, input_count),
-      static_cast<int>(values.size()), &values.front());
-  Node* effect_output = jsgraph_->graph()->NewNode(
-      jsgraph_->common()->EffectPhi(input_count),
-      static_cast<int>(effects.size()), &effects.front());
-
-  ReplaceWithValue(call, value_output, effect_output, control_output);
-
-  return Changed(value_output);
+
+  // Depending on whether the inlinee produces a value, we either replace value
+  // uses with said value or kill value uses if no value can be returned.
+  if (values.size() > 0) {
+    int const input_count = static_cast<int>(controls.size());
+    Node* control_output = jsgraph_->graph()->NewNode(
+        jsgraph_->common()->Merge(input_count), input_count, &controls.front());
+    values.push_back(control_output);
+    effects.push_back(control_output);
+    Node* value_output = jsgraph_->graph()->NewNode(
+        jsgraph_->common()->Phi(kMachAnyTagged, input_count),
+        static_cast<int>(values.size()), &values.front());
+    Node* effect_output = jsgraph_->graph()->NewNode(
+        jsgraph_->common()->EffectPhi(input_count),
+        static_cast<int>(effects.size()), &effects.front());
+    ReplaceWithValue(call, value_output, effect_output, control_output);
+    return Changed(value_output);
+  } else {
+    ReplaceWithValue(call, call, call, jsgraph_->Dead());
+    return Changed(call);
+  }
 }



--- a/test/mjsunit/regress/regress-crbug-530598.js
+++ b/test/mjsunit/regress/regress-crbug-530598.js
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-inlining
+
+var f1 = (function() {
+  "use asm";
+  function g() { throw 0; }
+  function f() { return g(); }
+  return f;
+})();
+assertThrows("f1()");
+%OptimizeFunctionOnNextCall(f1);
+assertThrows("f1()");
+
+var f2 = (function() {
+  "use asm";
+  function g() { for (;;); }
+  function f(a) { return a || g(); }
+  return f;
+})();
+assertTrue(f2(true));
+%OptimizeFunctionOnNextCall(f2);
+assertTrue(f2(true));