[turbofan] Don't verify context input of Create*Context nodes

The verifier tried to assert that the context input of Create*Context nodes has type OtherInternal (all Context constants have that type). This didn't quite work because of OSR values so actually it checked something much weaker. And what it checked still doesn't work because of dead code, in which the context input might statically be known to be the undefined value. I'm removing the assertion entirely now. I suspect that there are other assertions in the verifier that don't hold in the OSR code or in dead code. We are discussing a more general solution such as inserting TypeGuards in the relevant cases. Bug: chromium:1037771 Change-Id: I6fb59c60e7120d5984ea0fe140269f2df6de8708 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2010792 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#65871}

[turbofan] Don't verify context input of Create*Context nodes
The verifier tried to assert that the context input of Create*Context nodes has type OtherInternal (all Context constants have that type). This didn't quite work because of OSR values so actually it checked something much weaker. And what it checked still doesn't work because of dead code, in which the context input might statically be known to be the undefined value. I'm removing the assertion entirely now. I suspect that there are other assertions in the verifier that don't hold in the OSR code or in dead code. We are discussing a more general solution such as inserting TypeGuards in the relevant cases. Bug: chromium:1037771 Change-Id: I6fb59c60e7120d5984ea0fe140269f2df6de8708 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2010792 Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Auto-Submit: Georg Neis <neis@chromium.org> Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/master@{#65871}
e33d6338 · Georg Neis · Commit Bot · d99eaef7 · e33d6338 · e33d6338
Commit e33d6338 authored Jan 20, 2020 by Georg Neis Committed by Commit Bot Jan 20, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 4 deletions

verifier.cc src/compiler/verifier.cc +0 -4

regress-1037771.js test/mjsunit/compiler/regress-1037771.js +30 -0

No files found.
--- a/src/compiler/verifier.cc
+++ b/src/compiler/verifier.cc
@@ -764,10 +764,6 @@ void Verifier::Visitor::Check(Node* node, const AllNodes& all) {
    case IrOpcode::kJSCreateCatchContext:
    case IrOpcode::kJSCreateWithContext:
    case IrOpcode::kJSCreateBlockContext: {
-      Node* context = NodeProperties::GetContextInput(node);
-      // TODO(bmeurer): This should say CheckTypeIs, but we don't have type
-      // OtherInternal on certain contexts, i.e. those from OsrValue inputs.
-      CheckTypeMaybe(context, Type::OtherInternal());
      CheckTypeIs(node, Type::OtherInternal());
      break;
    }

--- a/test/mjsunit/compiler/regress-1037771.js
+++ b/test/mjsunit/compiler/regress-1037771.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --interrupt-budget=1024
+
+async function* r() {
+  for (var l = "" in { goo: ()=>{} }) {
+    for (let n = 0; n < 500; (t ? -500 : 0)) {
+      n++;
+      if (n > 1) break;
+      try {
+        r.blabadfasdfasdfsdafsdsadf();
+      } catch (e) {
+        for (let n = 0; n < 500; n++);
+        for (let n in t) {
+          return t[n];
+        }
+      }
+      try { r(n, null) } catch (e) {}
+    }
+  }
+}
+let t = r();
+t.return({
+  get then() {
+    let n = r();
+    n.next();
+  }
+});