Commit b3ce13f4 authored by Mike Stanton's avatar Mike Stanton Committed by Commit Bot

[Turbofan] Fix crash in MapInference::~MapInference

CL https://chromium-review.googlesource.com/c/v8/v8/+/1660623
("[Turbofan] Brokerize more promise reductions in JSCallReducer")
introduced a bug where we bail out of a call reduction but failed
to remove graph constructs added by the MapInference class.

R=jarin@chromium.org

Bug: chromium:976256, chromium:976524
Change-Id: I97f142fe6c1caba5e679f7df742893536c83b2d8
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1666990Reviewed-by: 's avatarJaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Stanton <mvstanton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62267}
parent bb7bb8b7
...@@ -5843,7 +5843,7 @@ Reduction JSCallReducer::ReducePromisePrototypeCatch(Node* node) { ...@@ -5843,7 +5843,7 @@ Reduction JSCallReducer::ReducePromisePrototypeCatch(Node* node) {
Node* control = NodeProperties::GetControlInput(node); Node* control = NodeProperties::GetControlInput(node);
MapInference inference(broker(), receiver, effect); MapInference inference(broker(), receiver, effect);
if (!DoPromiseChecks(&inference)) return NoChange(); if (!DoPromiseChecks(&inference)) return inference.NoChange();
if (!dependencies()->DependOnPromiseThenProtector()) if (!dependencies()->DependOnPromiseThenProtector())
return inference.NoChange(); return inference.NoChange();
...@@ -5895,7 +5895,7 @@ Reduction JSCallReducer::ReducePromisePrototypeFinally(Node* node) { ...@@ -5895,7 +5895,7 @@ Reduction JSCallReducer::ReducePromisePrototypeFinally(Node* node) {
} }
MapInference inference(broker(), receiver, effect); MapInference inference(broker(), receiver, effect);
if (!DoPromiseChecks(&inference)) return NoChange(); if (!DoPromiseChecks(&inference)) return inference.NoChange();
MapHandles const& receiver_maps = inference.GetMaps(); MapHandles const& receiver_maps = inference.GetMaps();
// Check if we have the required scope_info. // Check if we have the required scope_info.
......
...@@ -193,7 +193,9 @@ class V8_EXPORT_PRIVATE JSCallReducer final : public AdvancedReducer { ...@@ -193,7 +193,9 @@ class V8_EXPORT_PRIVATE JSCallReducer final : public AdvancedReducer {
Reduction ReduceNumberConstructor(Node* node); Reduction ReduceNumberConstructor(Node* node);
// Helper to verify promise receiver maps are as expected. // Helper to verify promise receiver maps are as expected.
// On bailout from a reduction, be sure to return inference.NoChange().
bool DoPromiseChecks(MapInference* inference); bool DoPromiseChecks(MapInference* inference);
Node* CreateClosureFromBuiltinSharedFunctionInfo(SharedFunctionInfoRef shared, Node* CreateClosureFromBuiltinSharedFunctionInfo(SharedFunctionInfoRef shared,
Node* context, Node* effect, Node* context, Node* effect,
Node* control); Node* control);
......
// Copyright 2019 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function foo(r) {
return r.finally();
}
const resolution = Promise.resolve();
%PrepareFunctionForOptimization(foo);
foo(resolution);
function bar() {
try {
foo(undefined);
} catch (e) {}
}
bar();
bar();
%OptimizeFunctionOnNextCall(bar);
bar();
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment