[turbofan] Fix value output count range on Operator.

This widens the range of value output counts to 32 bit on the {Operator}
class. Note that the limit imposed by the parser is 65535 parameters for
each function, but the {Start} node has additional value outputs.

R=jarin@chromium.org
TEST=mjsunit/regress/regress-crbug-724153
BUG=chromium:724153

Change-Id: I21b5d947cc2305b255ddbbff6ec1dfa5c02784c7
Reviewed-on: https://chromium-review.googlesource.com/517489Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Michael Starzinger <mstarzinger@chromium.org>
Cr-Commit-Position: refs/heads/master@{#45573}

src/compiler/bytecode-graph-builder.cc

@@ -522,7 +522,7 @@ VectorSlotPair BytecodeGraphBuilder::CreateVectorSlotPair(int slot_id) {
   return VectorSlotPair(feedback_vector(), slot);
 }
 
-bool BytecodeGraphBuilder::CreateGraph(bool stack_check) {
+void BytecodeGraphBuilder::CreateGraph(bool stack_check) {
   SourcePositionTable::Scope pos_scope(source_positions_, start_position_);
 
   // Set up the basic structure of the graph. Outputs for {Start} are the formal
@@ -544,8 +544,6 @@ bool BytecodeGraphBuilder::CreateGraph(bool stack_check) {
   Node** const inputs = &exit_controls_.front();
   Node* end = graph()->NewNode(common()->End(input_count), input_count, inputs);
   graph()->SetEnd(end);
-
-  return true;
 }
 
 void BytecodeGraphBuilder::PrepareEagerCheckpoint() {

src/compiler/bytecode-graph-builder.h

@@ -35,7 +35,7 @@ class BytecodeGraphBuilder {
       JSTypeHintLowering::Flags flags = JSTypeHintLowering::kNoFlags);
 
   // Creates a graph by visiting bytecodes.
-  bool CreateGraph(bool stack_check = true);
+  void CreateGraph(bool stack_check = true);
 
  private:
   class Environment;

src/compiler/operator.cc

@@ -24,20 +24,16 @@ V8_INLINE N CheckRange(size_t val) {
 
 }  // namespace
 
-
-// static
-STATIC_CONST_MEMBER_DEFINITION const size_t Operator::kMaxControlOutputCount;
-
 Operator::Operator(Opcode opcode, Properties properties, const char* mnemonic,
                    size_t value_in, size_t effect_in, size_t control_in,
                    size_t value_out, size_t effect_out, size_t control_out)
-    : opcode_(opcode),
+    : mnemonic_(mnemonic),
+      opcode_(opcode),
       properties_(properties),
-      mnemonic_(mnemonic),
       value_in_(CheckRange<uint32_t>(value_in)),
       effect_in_(CheckRange<uint16_t>(effect_in)),
       control_in_(CheckRange<uint16_t>(control_in)),
-      value_out_(CheckRange<uint16_t>(value_out)),
+      value_out_(CheckRange<uint32_t>(value_out)),
       effect_out_(CheckRange<uint8_t>(effect_out)),
       control_out_(CheckRange<uint32_t>(control_out)) {}
 

src/compiler/operator.h

@@ -95,9 +95,6 @@ class V8_EXPORT_PRIVATE Operator : public NON_EXPORTED_BASE(ZoneObject) {
 
   Properties properties() const { return properties_; }
 
-  // TODO(bmeurer): Use bit fields below?
-  static const size_t kMaxControlOutputCount = (1u << 16) - 1;
-
   // TODO(titzer): convert return values here to size_t.
   int ValueInputCount() const { return value_in_; }
   int EffectInputCount() const { return effect_in_; }
@@ -136,13 +133,13 @@ class V8_EXPORT_PRIVATE Operator : public NON_EXPORTED_BASE(ZoneObject) {
   virtual void PrintToImpl(std::ostream& os, PrintVerbosity verbose) const;
 
  private:
+  const char* mnemonic_;
   Opcode opcode_;
   Properties properties_;
-  const char* mnemonic_;
   uint32_t value_in_;
   uint16_t effect_in_;
   uint16_t control_in_;
-  uint16_t value_out_;
+  uint32_t value_out_;
   uint8_t effect_out_;
   uint32_t control_out_;
 

src/compiler/pipeline.cc

@@ -772,8 +772,6 @@ struct GraphBuilderPhase {
   static const char* phase_name() { return "graph builder"; }
 
   void Run(PipelineData* data, Zone* temp_zone) {
-    bool succeeded = false;
-
     if (data->info()->is_optimizing_from_bytecode()) {
       // Bytecode graph builder assumes deoptimziation is enabled.
       DCHECK(data->info()->is_deoptimization_enabled());
@@ -786,16 +784,14 @@ struct GraphBuilderPhase {
           handle(data->info()->closure()->feedback_vector()),
           data->info()->osr_ast_id(), data->jsgraph(), CallFrequency(1.0f),
           data->source_positions(), SourcePosition::kNotInlined, flags);
-      succeeded = graph_builder.CreateGraph();
+      graph_builder.CreateGraph();
     } else {
       AstGraphBuilderWithPositions graph_builder(
           temp_zone, data->info(), data->jsgraph(), CallFrequency(1.0f),
           data->loop_assignment(), data->source_positions());
-      succeeded = graph_builder.CreateGraph();
-    }
-
-    if (!succeeded) {
-      data->set_compilation_failed();
+      if (!graph_builder.CreateGraph()) {
+        data->set_compilation_failed();
+      }
     }
   }
 };

test/mjsunit/regress/regress-crbug-724153.js

+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --no-turbo-verify
+
+(function TestParameterLimit() {
+  var src = '(function f(a,';
+  for (var i = 0; i < 65535 - 2; i++) {
+    src += 'b' + i + ',';
+  }
+  src += 'c) { return a + c })';
+  var f = eval(src);
+  assertEquals(NaN, f(1));
+  assertEquals(NaN, f(2));
+  %OptimizeFunctionOnNextCall(f);
+  assertEquals(NaN, f(3));
+})();