[turbofan] Fix ForInStatement that deopts during filter.

This adds a missing bailout id to a ForInStatement for when retrieving
and filtering a property name deoptimizes. This can happen with proxies
that have a getPropertyDescriptor trap.

R=jarin@chromium.org
TEST=mjsunit/for-in-opt

Review URL: https://codereview.chromium.org/1086083002

Cr-Commit-Position: refs/heads/master@{#27846}

src/arm/full-codegen-arm.cc

@@ -1285,6 +1285,7 @@ void FullCodeGenerator::VisitForInStatement(ForInStatement* stmt) {
   __ push(r1);  // Enumerable.
   __ push(r3);  // Current entry.
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION);
+  PrepareForBailoutForId(stmt->FilterId(), TOS_REG);
   __ mov(r3, Operand(r0), SetCC);
   __ b(eq, loop_statement.continue_label());
 

src/arm64/full-codegen-arm64.cc

@@ -1272,6 +1272,7 @@ void FullCodeGenerator::VisitForInStatement(ForInStatement* stmt) {
   // just skip it.
   __ Push(x1, x3);
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION);
+  PrepareForBailoutForId(stmt->FilterId(), TOS_REG);
   __ Mov(x3, x0);
   __ Cbz(x0, loop_statement.continue_label());
 

src/ast.h

@@ -921,12 +921,13 @@ class ForInStatement FINAL : public ForEachStatement {
   ForInType for_in_type() const { return for_in_type_; }
   void set_for_in_type(ForInType type) { for_in_type_ = type; }
 
-  static int num_ids() { return parent_num_ids() + 5; }
+  static int num_ids() { return parent_num_ids() + 6; }
   BailoutId BodyId() const { return BailoutId(local_id(0)); }
   BailoutId PrepareId() const { return BailoutId(local_id(1)); }
   BailoutId EnumId() const { return BailoutId(local_id(2)); }
   BailoutId ToObjectId() const { return BailoutId(local_id(3)); }
-  BailoutId AssignmentId() const { return BailoutId(local_id(4)); }
+  BailoutId FilterId() const { return BailoutId(local_id(4)); }
+  BailoutId AssignmentId() const { return BailoutId(local_id(5)); }
   BailoutId ContinueId() const OVERRIDE { return EntryId(); }
   BailoutId StackCheckId() const OVERRIDE { return BodyId(); }
 

src/compiler/ast-graph-builder.cc

@@ -1270,8 +1270,7 @@ void AstGraphBuilder::VisitForInBody(ForInStatement* stmt) {
     // is gone.
     Node* res = NewNode(javascript()->CallFunction(3, NO_CALL_FUNCTION_FLAGS),
                         function, obj, value);
-    // TODO(jarin): provide real bailout id.
-    PrepareFrameState(res, BailoutId::None());
+    PrepareFrameState(res, stmt->FilterId(), OutputFrameStateCombine::Push());
     Node* property_missing =
         NewNode(javascript()->StrictEqual(), res, jsgraph()->ZeroConstant());
     {

src/ia32/full-codegen-ia32.cc

@@ -1210,6 +1210,7 @@ void FullCodeGenerator::VisitForInStatement(ForInStatement* stmt) {
   __ push(ecx);  // Enumerable.
   __ push(ebx);  // Current entry.
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION);
+  PrepareForBailoutForId(stmt->FilterId(), TOS_REG);
   __ test(eax, eax);
   __ j(equal, loop_statement.continue_label());
   __ mov(ebx, eax);

src/mips/full-codegen-mips.cc

@@ -1273,6 +1273,7 @@ void FullCodeGenerator::VisitForInStatement(ForInStatement* stmt) {
   // just skip it.
   __ Push(a1, a3);  // Enumerable and current entry.
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION);
+  PrepareForBailoutForId(stmt->FilterId(), TOS_REG);
   __ mov(a3, result_register());
   __ Branch(loop_statement.continue_label(), eq, a3, Operand(zero_reg));
 

src/mips64/full-codegen-mips64.cc

@@ -1269,6 +1269,7 @@ void FullCodeGenerator::VisitForInStatement(ForInStatement* stmt) {
   // just skip it.
   __ Push(a1, a3);  // Enumerable and current entry.
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION);
+  PrepareForBailoutForId(stmt->FilterId(), TOS_REG);
   __ mov(a3, result_register());
   __ Branch(loop_statement.continue_label(), eq, a3, Operand(zero_reg));
 

src/ppc/full-codegen-ppc.cc

@@ -1241,6 +1241,7 @@ void FullCodeGenerator::VisitForInStatement(ForInStatement* stmt) {
   // just skip it.
   __ Push(r4, r6);  // Enumerable and current entry.
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION);
+  PrepareForBailoutForId(stmt->FilterId(), TOS_REG);
   __ mr(r6, r3);
   __ cmpi(r6, Operand::Zero());
   __ beq(loop_statement.continue_label());

src/x64/full-codegen-x64.cc

@@ -1244,6 +1244,7 @@ void FullCodeGenerator::VisitForInStatement(ForInStatement* stmt) {
   __ Push(rcx);  // Enumerable.
   __ Push(rbx);  // Current entry.
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION);
+  PrepareForBailoutForId(stmt->FilterId(), TOS_REG);
   __ Cmp(rax, Smi::FromInt(0));
   __ j(equal, loop_statement.continue_label());
   __ movp(rbx, rax);

src/x87/full-codegen-x87.cc

@@ -1199,6 +1199,7 @@ void FullCodeGenerator::VisitForInStatement(ForInStatement* stmt) {
   __ push(ecx);  // Enumerable.
   __ push(ebx);  // Current entry.
   __ InvokeBuiltin(Builtins::FILTER_KEY, CALL_FUNCTION);
+  PrepareForBailoutForId(stmt->FilterId(), TOS_REG);
   __ test(eax, eax);
   __ j(equal, loop_statement.continue_label());
   __ mov(ebx, eax);

test/mjsunit/mjsunit.status

@@ -113,9 +113,6 @@
   'debug-listbreakpoints': [PASS, NO_VARIANTS],  # arm64 nosnap with turbofan
   'debug-enable-disable-breakpoints': [PASS, NO_VARIANTS],  #arm64 nosnap with turbofan.
 
-  # TODO(jarin): Fix for-in deopt points in turbofan.
-  'for-in-opt': [PASS, NO_VARIANTS],
-
   # TODO(mstarzinger): Optimizing top-level code flushed out some correctness
   # issues on ARM and ARM64.
   'es6/math-log2-log10': [PASS, NO_VARIANTS],  # on ARM and ARM64.