From dc61e09feb438d3cf4cb09eab3a1d8cf63cd047a Mon Sep 17 00:00:00 2001 From: Ben Noordhuis <info@bnoordhuis.nl> Date: Sat, 1 Feb 2020 13:47:56 +0100 Subject: [PATCH] v8: fix load elimination liveness checks This commit back-ports the implementations of IsRename() and MayAlias() from the upstream 8.0 branch wholesale. Fixes several bugs where V8's load elimination pass considered values to be alive when they weren't. Fixes: https://github.com/nodejs/node/issues/31484 PR-URL: https://github.com/nodejs/node/pull/31613 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com> --- deps/v8/src/compiler/load-elimination.cc | 33 ++++++------------- .../v8/test/mjsunit/regress/regress-906406.js | 7 ++++ 2 files changed, 17 insertions(+), 23 deletions(-) create mode 100644 deps/v8/test/mjsunit/regress/regress-906406.js diff --git a/deps/v8/src/compiler/load-elimination.cc b/deps/v8/src/compiler/load-elimination.cc index 53d5d794d9a978..703bcdd5688028 100644 --- a/deps/v8/src/compiler/load-elimination.cc +++ b/deps/v8/src/compiler/load-elimination.cc @@ -21,7 +21,7 @@ bool IsRename(Node* node) { switch (node->opcode()) { case IrOpcode::kFinishRegion: case IrOpcode::kTypeGuard: - return true; + return !node->IsDead(); default: return false; } @@ -35,12 +35,14 @@ Node* ResolveRenames(Node* node) { } bool MayAlias(Node* a, Node* b) { - if (a == b) return true; - if (!NodeProperties::GetType(a).Maybe(NodeProperties::GetType(b))) { - return false; - } - switch (b->opcode()) { - case IrOpcode::kAllocate: { + if (a != b) { + if (!NodeProperties::GetType(a).Maybe(NodeProperties::GetType(b))) { + return false; + } else if (IsRename(b)) { + return MayAlias(a, b->InputAt(0)); + } else if (IsRename(a)) { + return MayAlias(a->InputAt(0), b); + } else if (b->opcode() == IrOpcode::kAllocate) { switch (a->opcode()) { case IrOpcode::kAllocate: case IrOpcode::kHeapConstant: @@ -49,16 +51,7 @@ bool MayAlias(Node* a, Node* b) { default: break; } - break; - } - case IrOpcode::kFinishRegion: - case IrOpcode::kTypeGuard: - return MayAlias(a, b->InputAt(0)); - default: - break; - } - switch (a->opcode()) { - case IrOpcode::kAllocate: { + } else if (a->opcode() == IrOpcode::kAllocate) { switch (b->opcode()) { case IrOpcode::kHeapConstant: case IrOpcode::kParameter: @@ -66,13 +59,7 @@ bool MayAlias(Node* a, Node* b) { default: break; } - break; } - case IrOpcode::kFinishRegion: - case IrOpcode::kTypeGuard: - return MayAlias(a->InputAt(0), b); - default: - break; } return true; } diff --git a/deps/v8/test/mjsunit/regress/regress-906406.js b/deps/v8/test/mjsunit/regress/regress-906406.js new file mode 100644 index 00000000000000..eb79ff0a0ce368 --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-906406.js @@ -0,0 +1,7 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +for (x = 0; x < 10000; ++x) { + [(x) => x, [, 4294967295].find((x) => x), , 2].includes('x', -0); +}