[compiler] Fix RepresentationChangerError in Array.p.shift

In JSCallReducer::ReduceArrayPrototypeShift, add Unsigned32 TypeGuard for index Node used in fast path, avoid representing kRepFloat64 (Range(1, inf)) to kRepWord64 when converting input for kLoadElement. Bug: v8:12632 Change-Id: I2e4b00840dc5462e4351e13a372c33b6272b9ea1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528373Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/main@{#79514}

[compiler] Fix RepresentationChangerError in Array.p.shift
In JSCallReducer::ReduceArrayPrototypeShift, add Unsigned32 TypeGuard for index Node used in fast path, avoid representing kRepFloat64 (Range(1, inf)) to kRepWord64 when converting input for kLoadElement. Bug: v8:12632 Change-Id: I2e4b00840dc5462e4351e13a372c33b6272b9ea1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3528373Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/main@{#79514}
e66a1116 · jameslahm · V8 LUCI CQ · c23f9239 · e66a1116 · e66a1116
Commit e66a1116 authored Mar 16, 2022 by jameslahm Committed by V8 LUCI CQ Mar 17, 2022
Hide whitespace changes
Inline Side-by-side

Showing with 25 additions and 3 deletions

js-call-reducer.cc src/compiler/js-call-reducer.cc +8 -3

regress-v8-12632.js test/mjsunit/regress/regress-v8-12632.js +17 -0

No files found.
--- a/src/compiler/js-call-reducer.cc
+++ b/src/compiler/js-call-reducer.cc
@@ -5820,18 +5820,23 @@ Reduction JSCallReducer::ReduceArrayPrototypeShift(Node* node) {
            graph()->NewNode(common()->EffectPhi(2), etrue1, etrue1, loop);
        Node* terminate = graph()->NewNode(common()->Terminate(), eloop, loop);
        NodeProperties::MergeControlToEnd(graph(), common(), terminate);
-        Node* index = graph()->NewNode(
+
+        Node* iloop = graph()->NewNode(
            common()->Phi(MachineRepresentation::kTagged, 2),
            jsgraph()->OneConstant(),
            jsgraph()->Constant(JSArray::kMaxCopyElements - 1), loop);

+        STATIC_ASSERT(JSArray::kMaxCopyElements <
+                      std::numeric_limits<uint32_t>::max());
+
+        Node* index = etrue1 = graph()->NewNode(
+            common()->TypeGuard(Type::Unsigned32()), iloop, eloop, if_true1);
        {
          Node* check2 =
              graph()->NewNode(simplified()->NumberLessThan(), index, length);
          Node* branch2 = graph()->NewNode(common()->Branch(), check2, loop);

          if_true1 = graph()->NewNode(common()->IfFalse(), branch2);
-          etrue1 = eloop;

          Node* control2 = graph()->NewNode(common()->IfTrue(), branch2);
          Node* effect2 = etrue1;
@@ -5849,7 +5854,7 @@ Reduction JSCallReducer::ReduceArrayPrototypeShift(Node* node) {

          loop->ReplaceInput(1, control2);
          eloop->ReplaceInput(1, effect2);
-          index->ReplaceInput(1,
+          iloop->ReplaceInput(1,
                              graph()->NewNode(simplified()->NumberAdd(), index,
                                               jsgraph()->OneConstant()));
        }

--- a/test/mjsunit/regress/regress-v8-12632.js
+++ b/test/mjsunit/regress/regress-v8-12632.js
+// Copyright 2022 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --interrupt-budget=1024 --noturbo-loop-variable
+
+function opt() {
+  const array = [-1, 1];
+  array.shift();
+}
+
+%PrepareFunctionForOptimization(opt);
+opt();
+opt();
+%OptimizeFunctionOnNextCall(opt);
+opt();
+opt();