v8: fix load elimination liveness checks

This commit back-ports the implementations of IsRename() and MayAlias() from the upstream 8.0 branch wholesale. Fixes several bugs where V8's load elimination pass considered values to be alive when they weren't. Fixes: #31484 PR-URL: #31613 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Beth Griggs <[email protected]>
nodejs · Feb 26, 2020 · dc61e09 · dc61e09
1 parent f29fb14
commit dc61e09
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 23 deletions.
diff --git a/deps/v8/src/compiler/load-elimination.cc b/deps/v8/src/compiler/load-elimination.cc
@@ -21,7 +21,7 @@ bool IsRename(Node* node) {
   switch (node->opcode()) {
     case IrOpcode::kFinishRegion:
     case IrOpcode::kTypeGuard:
-      return true;
+      return !node->IsDead();
     default:
       return false;
   }
@@ -35,12 +35,14 @@ Node* ResolveRenames(Node* node) {
 }
 
 bool MayAlias(Node* a, Node* b) {
-  if (a == b) return true;
-  if (!NodeProperties::GetType(a).Maybe(NodeProperties::GetType(b))) {
-    return false;
-  }
-  switch (b->opcode()) {
-    case IrOpcode::kAllocate: {
+  if (a != b) {
+    if (!NodeProperties::GetType(a).Maybe(NodeProperties::GetType(b))) {
+      return false;
+    } else if (IsRename(b)) {
+      return MayAlias(a, b->InputAt(0));
+    } else if (IsRename(a)) {
+      return MayAlias(a->InputAt(0), b);
+    } else if (b->opcode() == IrOpcode::kAllocate) {
       switch (a->opcode()) {
         case IrOpcode::kAllocate:
         case IrOpcode::kHeapConstant:
@@ -49,30 +51,15 @@ bool MayAlias(Node* a, Node* b) {
         default:
           break;
       }
-      break;
-    }
-    case IrOpcode::kFinishRegion:
-    case IrOpcode::kTypeGuard:
-      return MayAlias(a, b->InputAt(0));
-    default:
-      break;
-  }
-  switch (a->opcode()) {
-    case IrOpcode::kAllocate: {
+    } else if (a->opcode() == IrOpcode::kAllocate) {
       switch (b->opcode()) {
         case IrOpcode::kHeapConstant:
         case IrOpcode::kParameter:
           return false;
         default:
           break;
       }
-      break;
     }
-    case IrOpcode::kFinishRegion:
-    case IrOpcode::kTypeGuard:
-      return MayAlias(a->InputAt(0), b);
-    default:
-      break;
   }
   return true;
 }

diff --git a/deps/v8/test/mjsunit/regress/regress-906406.js b/deps/v8/test/mjsunit/regress/regress-906406.js
@@ -0,0 +1,7 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+for (x = 0; x < 10000; ++x) {
+    [(x) => x, [, 4294967295].find((x) => x), , 2].includes('x', -0);
+}