[turbofan] Fix call of ReduceElementAccessOnString

We tried to pass the load mode even for stores.

Bug: chromium:977670
Change-Id: I2527a5ca755dba343b75f54383d17e22be0a20a5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1672940
Auto-Submit: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#62333}

src/compiler/js-native-context-specialization.cc

@@ -1378,17 +1378,16 @@ Reduction JSNativeContextSpecialization::ReduceJSStoreNamedOwn(Node* node) {
 }
 
 Reduction JSNativeContextSpecialization::ReduceElementAccessOnString(
-    Node* node, Node* index, Node* value, AccessMode access_mode,
-    KeyedAccessLoadMode load_mode) {
+    Node* node, Node* index, Node* value, KeyedAccessMode const& keyed_mode) {
   Node* receiver = NodeProperties::GetValueInput(node, 0);
   Node* effect = NodeProperties::GetEffectInput(node);
   Node* control = NodeProperties::GetControlInput(node);
 
   // Strings are immutable in JavaScript.
-  if (access_mode == AccessMode::kStore) return NoChange();
+  if (keyed_mode.access_mode() == AccessMode::kStore) return NoChange();
 
   // `in` cannot be used on strings.
-  if (access_mode == AccessMode::kHas) return NoChange();
+  if (keyed_mode.access_mode() == AccessMode::kHas) return NoChange();
 
   // Ensure that the {receiver} is actually a String.
   receiver = effect = graph()->NewNode(
@@ -1400,7 +1399,7 @@ Reduction JSNativeContextSpecialization::ReduceElementAccessOnString(
   // Load the single character string from {receiver} or yield undefined
   // if the {index} is out of bounds (depending on the {load_mode}).
   value = BuildIndexedStringLoad(receiver, index, length, &effect, &control,
-                                 load_mode);
+                                 keyed_mode.load_mode());
 
   ReplaceWithValue(node, value, effect, control);
   return Replace(value);
@@ -1444,8 +1443,8 @@ Reduction JSNativeContextSpecialization::ReduceElementAccess(
 
   if (HasOnlyStringMaps(broker(), processed.receiver_maps)) {
     DCHECK(processed.transitions.empty());
-    return ReduceElementAccessOnString(node, index, value, access_mode,
-                                       processed.keyed_mode.load_mode());
+    return ReduceElementAccessOnString(node, index, value,
+                                       processed.keyed_mode);
   }
 
   // Compute element access infos for the receiver maps.

src/compiler/js-native-context-specialization.h

@@ -117,8 +117,7 @@ class V8_EXPORT_PRIVATE JSNativeContextSpecialization final
                                             AccessMode access_mode,
                                             KeyedAccessLoadMode load_mode);
   Reduction ReduceElementAccessOnString(Node* node, Node* index, Node* value,
-                                        AccessMode access_mode,
-                                        KeyedAccessLoadMode load_mode);
+                                        KeyedAccessMode const& keyed_mode);
 
   Reduction ReduceSoftDeoptimize(Node* node, DeoptimizeReason reason);
   Reduction ReduceJSToString(Node* node);

test/mjsunit/compiler/regress-977670.js

+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo() {
+  var i;
+  for (i in 'xxxxxxxx') {
+    try { throw 42 } catch (e) {}
+  }
+  print(i);
+  i['' + 'length'] = 42;
+}
+
+foo();
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();