[turbofan] Sanitize typing rules for function calls.

src/compiler/typer.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/typer.h"
 
 #include "src/base/flags.h"
 #include "src/base/lazy-instance.h"
 #include "src/bootstrapper.h"
 #include "src/compiler/common-operator.h"
@@ skipping 1355 matching lines @@
 
 Type* Typer::Visitor::TypeJSYield(Node* node) { return Type::Any(); }
 
 
 Type* Typer::Visitor::TypeJSCallConstruct(Node* node) {
   return Type::Receiver();
 }
 
 
 Type* Typer::Visitor::JSCallFunctionTyper(Type* fun, Typer* t) {
-  return fun->IsFunction() ? fun->AsFunction()->Result() : Type::Any();
+  if (fun->IsFunction()) {
+    return fun->AsFunction()->Result();
+  }
+  if (fun->IsConstant() && fun->AsConstant()->Value()->IsJSFunction()) {
+    Handle<JSFunction> function =
+        Handle<JSFunction>::cast(fun->AsConstant()->Value());
+    if (function->shared()->HasBuiltinFunctionId()) {
+      switch (function->shared()->builtin_function_id()) {
+        case kMathRandom:
+          return Type::OrderedNumber();
+        case kMathFloor:
+        case kMathRound:
+        case kMathCeil:
+          return t->cache_.kWeakint;
+        // Unary math functions.
+        case kMathAbs:
+        case kMathLog:
+        case kMathExp:
+        case kMathSqrt:
+        case kMathCos:
+        case kMathSin:
+        case kMathTan:
+        case kMathAcos:
+        case kMathAsin:
+        case kMathAtan:
+        case kMathFround:
+          return Type::Number();
+        // Binary math functions.
+        case kMathAtan2:
+        case kMathPow:
+        case kMathMax:
+        case kMathMin:
+          return Type::Number();
+        case kMathImul:
+          return Type::Signed32();
+        case kMathClz32:
+          return t->cache_.kZeroToThirtyTwo;
+        // String functions.
+        case kStringCharAt:
+        case kStringFromCharCode:
+          return Type::String();
+        // Array functions.
+        case kArrayIndexOf:
+        case kArrayLastIndexOf:
+          return Type::Number();
+        default:
+          break;
+      }
+    }
+  }
+  return Type::Any();
 }
 
 
 Type* Typer::Visitor::TypeJSCallFunction(Node* node) {
-  return TypeUnaryOp(node, JSCallFunctionTyper);  // We ignore argument types.
+  // TODO(bmeurer): We could infer better types if we wouldn't ignore the
+  // argument types for the JSCallFunctionTyper above.
+  return TypeUnaryOp(node, JSCallFunctionTyper);
 }
 
 
 Type* Typer::Visitor::TypeJSCallRuntime(Node* node) {
   switch (CallRuntimeParametersOf(node->op()).id()) {
     case Runtime::kInlineIsSmi:
     case Runtime::kInlineIsArray:
     case Runtime::kInlineIsDate:
     case Runtime::kInlineIsTypedArray:
     case Runtime::kInlineIsMinusZero:
@@ skipping 644 matching lines @@
 Type* Typer::Visitor::TypeCheckedStore(Node* node) {
   UNREACHABLE();
   return nullptr;
 }
 
 
 // Heap constants.
 
 
 Type* Typer::Visitor::TypeConstant(Handle<Object> value) {
-  if (value->IsJSFunction()) {
-    if (JSFunction::cast(*value)->shared()->HasBuiltinFunctionId()) {
-      switch (JSFunction::cast(*value)->shared()->builtin_function_id()) {
-        case kMathRandom:
-          return typer_->cache_.kRandomFunc0;
-        case kMathFloor:
-        case kMathRound:
-        case kMathCeil:
-          return typer_->cache_.kWeakintFunc1;
-        // Unary math functions.
-        case kMathAbs:  // TODO(rossberg): can't express overloading
-        case kMathLog:
-        case kMathExp:
-        case kMathSqrt:
-        case kMathCos:
-        case kMathSin:
-        case kMathTan:
-        case kMathAcos:
-        case kMathAsin:
-        case kMathAtan:
-        case kMathFround:
-          return typer_->cache_.kNumberFunc1;
-        // Binary math functions.
-        case kMathAtan2:
-        case kMathPow:
-        case kMathMax:
-        case kMathMin:
-          return typer_->cache_.kNumberFunc2;
-        case kMathImul:
-          return typer_->cache_.kImulFunc;
-        case kMathClz32:
-          return typer_->cache_.kClz32Func;
-        default:
-          break;
-      }
-    }
-    int const arity =
-        JSFunction::cast(*value)->shared()->internal_formal_parameter_count();
-    switch (arity) {
-      case SharedFunctionInfo::kDontAdaptArgumentsSentinel:
-        // Some smart optimization at work... &%$!&@+$!
-        break;
-      case 0:
-        return typer_->cache_.kAnyFunc0;
-      case 1:
-        return typer_->cache_.kAnyFunc1;
-      case 2:
-        return typer_->cache_.kAnyFunc2;
-      case 3:
-        return typer_->cache_.kAnyFunc3;
-      default: {
-        DCHECK_LT(3, arity);
-        Type** const params = zone()->NewArray<Type*>(arity);
-        std::fill(&params[0], &params[arity], Type::Any(zone()));
-        return Type::Function(Type::Any(zone()), arity, params, zone());
-      }
-    }
-  } else if (value->IsJSTypedArray()) {
+  if (value->IsJSTypedArray()) {
     switch (JSTypedArray::cast(*value)->type()) {
 #define TYPED_ARRAY_CASE(Type, type, TYPE, ctype, size) \
   case kExternal##Type##Array:                          \
     return typer_->cache_.k##Type##Array;
       TYPED_ARRAYS(TYPED_ARRAY_CASE)
 #undef TYPED_ARRAY_CASE
     }
   }
   if (Type::IsInteger(*value)) {
     return Type::Range(value->Number(), value->Number(), zone());
   }
   return Type::Constant(value, zone());
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8