Skip to content

[v10.x-staging] v8: fix load elimination liveness checks #31613

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
bnoordhuis wants to merge 1 commit into from
Closed

[v10.x-staging] v8: fix load elimination liveness checks #31613

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
v8: fix load elimination liveness checks 
This commit back-ports the implementations of IsRename() and MayAlias()
from the upstream 8.0 branch wholesale. Fixes several bugs where V8's
load elimination pass considered values to be alive when they weren't.

Fixes: #31484
  • Loading branch information
@bnoordhuis
bnoordhuis committed Feb 2, 2020
commit 2b4f2140f3f3e0093a962b68cb8b68a5668521e4
33 changes: 10 additions & 23 deletions deps/v8/src/compiler/load-elimination.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ bool IsRename(Node* node) {
switch (node->opcode()) {
case IrOpcode::kFinishRegion:
case IrOpcode::kTypeGuard:
return true;
return !node->IsDead();
default:
return false;
}
Expand All @@ -35,12 +35,14 @@ Node* ResolveRenames(Node* node) {
}

bool MayAlias(Node* a, Node* b) {
if (a == b) return true;
if (!NodeProperties::GetType(a).Maybe(NodeProperties::GetType(b))) {
return false;
}
switch (b->opcode()) {
case IrOpcode::kAllocate: {
if (a != b) {
if (!NodeProperties::GetType(a).Maybe(NodeProperties::GetType(b))) {
return false;
} else if (IsRename(b)) {
return MayAlias(a, b->InputAt(0));
} else if (IsRename(a)) {
return MayAlias(a->InputAt(0), b);
} else if (b->opcode() == IrOpcode::kAllocate) {
switch (a->opcode()) {
case IrOpcode::kAllocate:
case IrOpcode::kHeapConstant:
Expand All @@ -49,30 +51,15 @@ bool MayAlias(Node* a, Node* b) {
default:
break;
}
break;
}
case IrOpcode::kFinishRegion:
case IrOpcode::kTypeGuard:
return MayAlias(a, b->InputAt(0));
default:
break;
}
switch (a->opcode()) {
case IrOpcode::kAllocate: {
} else if (a->opcode() == IrOpcode::kAllocate) {
switch (b->opcode()) {
case IrOpcode::kHeapConstant:
case IrOpcode::kParameter:
return false;
default:
break;
}
break;
}
case IrOpcode::kFinishRegion:
case IrOpcode::kTypeGuard:
return MayAlias(a->InputAt(0), b);
default:
break;
}
return true;
}
Expand Down
7 changes: 7 additions & 0 deletions deps/v8/test/mjsunit/regress/regress-906406.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
// Copyright 2018 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

for (x = 0; x < 10000; ++x) {
[(x) => x, [, 4294967295].find((x) => x), , 2].includes('x', -0);
}