[interpreter] Don't emit dead try blocks

Try blocks (whether catch or finally) will unconditionally create handler tables and start a new basic block for the exception handler. This can accidentally resurrect a dead block when the entire try block is dead (and hence can never enter the exception handler in the first place). Add a deadness check to BuildTryCatch/Finally to fix this. Bug: chromium:1273677 Change-Id: Icda9deb1459e47de5cb83e7b636299e24c3ebe77 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306555 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#78179}

[interpreter] Don't emit dead try blocks
Try blocks (whether catch or finally) will unconditionally create handler tables and start a new basic block for the exception handler. This can accidentally resurrect a dead block when the entire try block is dead (and hence can never enter the exception handler in the first place). Add a deadness check to BuildTryCatch/Finally to fix this. Bug: chromium:1273677 Change-Id: Icda9deb1459e47de5cb83e7b636299e24c3ebe77 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3306555 Commit-Queue: Leszek Swirski <leszeks@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Reviewed-by: Marja Hölttä <marja@chromium.org> Auto-Submit: Leszek Swirski <leszeks@chromium.org> Cr-Commit-Position: refs/heads/main@{#78179}
a858cfd3 · Leszek Swirski · V8 LUCI CQ · 38f97cae · a858cfd3 · a858cfd3
Commit a858cfd3 authored Dec 01, 2021 by Leszek Swirski Committed by V8 LUCI CQ Dec 01, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 0 deletions

bytecode-generator.cc src/interpreter/bytecode-generator.cc +4 -0

regress-1273677.js test/mjsunit/regress/regress-1273677.js +20 -0

No files found.
--- a/src/interpreter/bytecode-generator.cc
+++ b/src/interpreter/bytecode-generator.cc
@@ -2133,6 +2133,8 @@ void BytecodeGenerator::BuildTryCatch(
    TryBodyFunc try_body_func, CatchBodyFunc catch_body_func,
    HandlerTable::CatchPrediction catch_prediction,
    TryCatchStatement* stmt_for_coverage) {
+  if (builder()->RemainderOfBlockIsDead()) return;
+
  TryCatchBuilder try_control_builder(
      builder(),
      stmt_for_coverage == nullptr ? nullptr : block_coverage_builder_,
@@ -2163,6 +2165,8 @@ void BytecodeGenerator::BuildTryFinally(
    TryBodyFunc try_body_func, FinallyBodyFunc finally_body_func,
    HandlerTable::CatchPrediction catch_prediction,
    TryFinallyStatement* stmt_for_coverage) {
+  if (builder()->RemainderOfBlockIsDead()) return;
+
  // We can't know whether the finally block will override ("catch") an
  // exception thrown in the try block, so we just adopt the outer prediction.
  TryFinallyBuilder try_control_builder(

--- a/test/mjsunit/regress/regress-1273677.js
+++ b/test/mjsunit/regress/regress-1273677.js
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function test() {}
+function foo() {
+  // --test() will throw a ReferenceError, making the rest of the for-of loop
+  // dead. The destructuring assignment is still part of the same expression,
+  // and it generates a try-finally for its iteration, so if it isn't fully
+  // eliminated the finally block may resurrect the destructuring assignment
+  // loop.
+  for (let [x] of --test()) {}
+}
+
+%PrepareFunctionForOptimization(foo);
+try { foo() } catch {}
+%OptimizeFunctionOnNextCall(foo);
+try { foo() } catch {}