[turbofan] Disable usage of {maybe_assigned} variable flag.

This disables the usage of the {maybe_assigned} flag that the variable
resolution computes for each variable on non-asm.js code. Note that the
analysis is fundamentally broken for destructuring and top-level lexical
variables. Also note that this still uses the analysis for asm.js code
even though it is not validated. One can still trigger the bug by using
invalid constructs within a function marked with "use asm". The fix is
intentionally minimal so that it can be merged to release branches.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-659915
BUG=chromium:659915

Review-Url: https://codereview.chromium.org/2471523005
Cr-Commit-Position: refs/heads/master@{#40716}

src/compiler/ast-graph-builder.cc

@@ -3358,7 +3358,11 @@ Node* AstGraphBuilder::BuildVariableLoad(Variable* variable,
     case VariableLocation::CONTEXT: {
       // Context variable (potentially up the context chain).
       int depth = current_scope()->ContextChainLength(variable->scope());
-      bool immutable = variable->maybe_assigned() == kNotAssigned;
+      // TODO(mstarzinger): The {maybe_assigned} flag computed during variable
+      // resolution is highly inaccurate and cannot be trusted. We are only
+      // taking this information into account when asm.js compilation is used.
+      bool immutable = variable->maybe_assigned() == kNotAssigned &&
+                       info()->is_function_context_specializing();
       const Operator* op =
           javascript()->LoadContext(depth, variable->index(), immutable);
       Node* value = NewNode(op, current_context());

test/mjsunit/regress/regress-crbug-659915a.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --min-preparse-length=10
+
+let x;
+function f(a) {
+  x += a;
+}
+function g(a) {
+  f(a); return x;
+}
+function h(a) {
+  x = a; return x;
+}
+
+function boom() { return g(1) }
+
+assertEquals(1, h(1));
+assertEquals(2, boom());
+assertEquals(3, boom());
+%OptimizeFunctionOnNextCall(boom);
+assertEquals(4, boom());

test/mjsunit/regress/regress-crbug-659915b.js

+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --min-preparse-length=10
+
+(function() {
+  var x = 23;
+  function f() { return x; }
+  function g() { [x] = [x + 1]; }
+  function h() { g(); return x; }
+
+  function boom() { return h() }
+
+  assertEquals(24, boom());
+  assertEquals(25, boom());
+  assertEquals(26, boom());
+  %OptimizeFunctionOnNextCall(boom);
+  assertEquals(27, boom());
+})();