[turbofan] Disable inlining of derived class constructors.

The inlining logic doesn't account for the fact that the derived constructor could return a primitive, thus leaking the implicit receiver (which is the hole). R=jarin@chromium.org BUG=chromium:706642 Review-Url: https://codereview.chromium.org/2788603002 Cr-Commit-Position: refs/heads/master@{#44264}

[turbofan] Disable inlining of derived class constructors.
The inlining logic doesn't account for the fact that the derived constructor could return a primitive, thus leaking the implicit receiver (which is the hole). R=jarin@chromium.org BUG=chromium:706642 Review-Url: https://codereview.chromium.org/2788603002 Cr-Commit-Position: refs/heads/master@{#44264}
c019e53c · bmeurer · Commit bot · eef2a462 · c019e53c · c019e53c
Commit c019e53c authored Mar 30, 2017 by bmeurer Committed by Commit bot Mar 30, 2017
Show whitespace changes
Inline Side-by-side

Showing with 49 additions and 0 deletions

js-inlining.cc src/compiler/js-inlining.cc +12 -0

regress-crbug-706642.js test/mjsunit/regress/regress-crbug-706642.js +37 -0

No files found.
--- a/src/compiler/js-inlining.cc
+++ b/src/compiler/js-inlining.cc
@@ -481,6 +481,18 @@ Reduction JSInliner::ReduceJSCall(Node* node) {
    return NoChange();
  }

+  // TODO(706642): Don't inline derived class constructors for now, as the
+  // inlining logic doesn't deal properly with derived class constructors
+  // that return a primitive, i.e. it's not in sync with what the Parser
+  // and the JSConstructSub does.
+  if (node->opcode() == IrOpcode::kJSConstruct &&
+      IsDerivedConstructor(shared_info->kind())) {
+    TRACE("Not inlining %s into %s because constructor is derived.\n",
+          shared_info->DebugName()->ToCString().get(),
+          info_->shared_info()->DebugName()->ToCString().get());
+    return NoChange();
+  }
+
  // Class constructors are callable, but [[Call]] will raise an exception.
  // See ES6 section 9.2.1 [[Call]] ( thisArgument, argumentsList ).
  if (node->opcode() == IrOpcode::kJSCall &&

--- a/test/mjsunit/regress/regress-crbug-706642.js
+++ b/test/mjsunit/regress/regress-crbug-706642.js
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+class A extends Object {
+  constructor(arg) {
+    super();
+    superclass_counter++;
+    if (superclass_counter === 3) {
+      return 1;
+    }
+  }
+}
+
+class B extends A {
+  constructor() {
+    let x = super(123);
+    return x.a;
+  }
+}
+
+var superclass_counter = 0;
+var observer = new Proxy(A, {
+  get(target, property, receiver) {
+    if (property === 'prototype') {
+      %DeoptimizeFunction(B);
+    }
+    return Reflect.get(target, property, receiver);
+  }
+});
+
+Reflect.construct(B, [], observer);
+Reflect.construct(B, [], observer);
+%OptimizeFunctionOnNextCall(B);
+assertThrows(() => Reflect.construct(B, [], observer), TypeError);