Version 5.4.500.1 (cherry-pick)
Merged 6646d73b6f387e7ef6add056cc022b6dafe03d36
[turbofan] Use ObjectIsReceiver directly for inlining.
BUG=chromium:640369
LOG=N
R=mstarzinger@chromium.org
TBR=mstarzinger@chromium.org
Review URL: https://codereview.chromium.org/2272393002 .
Cr-Commit-Position: refs/heads/5.4.500@{#2}
Cr-Branched-From: ad07b49d7b47b40a2d6f74d04d1b76ceae2a0253-refs/heads/master@{#38841}
diff --git a/include/v8-version.h b/include/v8-version.h
index 06fbf84..46d1c54 100644
--- a/include/v8-version.h
+++ b/include/v8-version.h
@@ -11,7 +11,7 @@
#define V8_MAJOR_VERSION 5
#define V8_MINOR_VERSION 4
#define V8_BUILD_NUMBER 500
-#define V8_PATCH_LEVEL 0
+#define V8_PATCH_LEVEL 1
// Use 1 for candidates and 0 otherwise.
// (Boolean macro values are not supported by all preprocessors.)
diff --git a/src/compiler/js-inlining.cc b/src/compiler/js-inlining.cc
index 4f1dc7c..635daa4 100644
--- a/src/compiler/js-inlining.cc
+++ b/src/compiler/js-inlining.cc
@@ -16,6 +16,7 @@
#include "src/compiler/node-matchers.h"
#include "src/compiler/node-properties.h"
#include "src/compiler/operator-properties.h"
+#include "src/compiler/simplified-operator.h"
#include "src/compiler/type-hint-analyzer.h"
#include "src/isolate-inl.h"
#include "src/parsing/parse-info.h"
@@ -435,20 +436,15 @@
NodeProperties::ReplaceEffectInput(node, create);
// Insert a check of the return value to determine whether the return
// value or the implicit receiver should be selected as a result of the
- // call. The check is wired into the successful control completion.
- Node* success = graph()->NewNode(common()->IfSuccess(), node);
- Node* check = graph()->NewNode(
- javascript()->CallRuntime(Runtime::kInlineIsJSReceiver, 1), node,
- context, node, success);
+ // call.
+ Node* check = graph()->NewNode(simplified()->ObjectIsReceiver(), node);
Node* select =
graph()->NewNode(common()->Select(MachineRepresentation::kTagged),
check, node, create);
- NodeProperties::ReplaceUses(node, select, check, check, node);
+ NodeProperties::ReplaceUses(node, select, node, node, node);
// Fix-up inputs that have been mangled by the {ReplaceUses} call above.
NodeProperties::ReplaceValueInput(select, node, 1); // Fix-up input.
NodeProperties::ReplaceValueInput(check, node, 0); // Fix-up input.
- NodeProperties::ReplaceEffectInput(check, node); // Fix-up input.
- NodeProperties::ReplaceControlInput(success, node); // Fix-up input.
receiver = create; // The implicit receiver.
}
@@ -527,6 +523,10 @@
CommonOperatorBuilder* JSInliner::common() const { return jsgraph()->common(); }
+SimplifiedOperatorBuilder* JSInliner::simplified() const {
+ return jsgraph()->simplified();
+}
+
} // namespace compiler
} // namespace internal
} // namespace v8
diff --git a/src/compiler/js-inlining.h b/src/compiler/js-inlining.h
index bb4cb9d..49487f5 100644
--- a/src/compiler/js-inlining.h
+++ b/src/compiler/js-inlining.h
@@ -38,6 +38,7 @@
private:
CommonOperatorBuilder* common() const;
JSOperatorBuilder* javascript() const;
+ SimplifiedOperatorBuilder* simplified() const;
Graph* graph() const;
JSGraph* jsgraph() const { return jsgraph_; }
diff --git a/test/mjsunit/regress/regress-crbug-640369.js b/test/mjsunit/regress/regress-crbug-640369.js
new file mode 100644
index 0000000..97982d1
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-640369.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function A() {
+ this.x = 0;
+ for (var i = 0; i < max; ) {}
+}
+function foo() {
+ for (var i = 0; i < 1; i = 2) %OptimizeOsr();
+ return new A();
+}
+try { foo(); } catch (e) { }