[maglev] Fix clobbered register in ThrowIfNotSuperConstructor

The kContextRegister can alias allocated registers - when setting it, take care not to unintentionally clobber. Bug: v8:7700 Change-Id: I0635d334fb14fa15540582a4873d4186fffa2199 Fixed: chromium:1363450 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897634 Auto-Submit: Jakob Linke <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83212}

[maglev] Fix clobbered register in ThrowIfNotSuperConstructor
The kContextRegister can alias allocated registers - when setting it, take care not to unintentionally clobber. Bug: v8:7700 Change-Id: I0635d334fb14fa15540582a4873d4186fffa2199 Fixed: chromium:1363450 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3897634 Auto-Submit: Jakob Linke <jgruber@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#83212}
9f13a300 · Jakob Linke · V8 LUCI CQ · fa103efb · 9f13a300 · 9f13a300
Commit 9f13a300 authored Sep 15, 2022 by Jakob Linke Committed by V8 LUCI CQ Sep 15, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 1 deletion

maglev-ir.cc src/maglev/maglev-ir.cc +1 -1

regress-1363450.js test/mjsunit/maglev/regress/regress-1363450.js +22 -0

No files found.
--- a/src/maglev/maglev-ir.cc
+++ b/src/maglev/maglev-ir.cc
@@ -3294,9 +3294,9 @@ void ThrowIfNotSuperConstructor::GenerateCode(MaglevAssembler* masm,
      equal,
      [](MaglevAssembler* masm, Label* return_label,
         ThrowIfNotSuperConstructor* node) {
-        __ Move(kContextRegister, masm->native_context().object());
        __ Push(ToRegister(node->constructor()));
        __ Push(ToRegister(node->function()));
+        __ Move(kContextRegister, masm->native_context().object());
        __ CallRuntime(Runtime::kThrowNotSuperConstructor, 2);
        masm->DefineLazyDeoptPoint(node->lazy_deopt_info());
        __ Abort(AbortReason::kUnexpectedReturnFromThrow);

--- a/test/mjsunit/maglev/regress/regress-1363450.js
+++ b/test/mjsunit/maglev/regress/regress-1363450.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+class C extends (class {}) {
+  constructor() {
+    var f = () => {
+      try { C.__proto__ = null; } catch {}
+      try { super(); } catch {}
+    };
+    %PrepareFunctionForOptimization(f);
+    f();
+    %OptimizeMaglevOnNextCall(f);
+  }
+}
+try { new C(); } catch {}
+// The next 2 calls deopt before reaching relevant bits.
+try { new C(); } catch {}
+try { new C(); } catch {}
+try { new C(); } catch {}