[turbofan] Fix missing bailout point before calls.

src/compiler/ast-graph-builder.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/ast-graph-builder.h"
 
 #include "src/compiler.h"
 #include "src/compiler/ast-loop-assignment-analyzer.h"
 #include "src/compiler/control-builders.h"
 #include "src/compiler/linkage.h"
@@ skipping 376 matching lines @@
 // Helper for generating before and after frame states.
 class AstGraphBuilder::FrameStateBeforeAndAfter {
  public:
   FrameStateBeforeAndAfter(AstGraphBuilder* builder, BailoutId id_before)
       : builder_(builder), frame_state_before_(nullptr) {
     frame_state_before_ = id_before == BailoutId::None()
                               ? builder_->jsgraph()->EmptyFrameState()
                               : builder_->environment()->Checkpoint(id_before);
   }
 
-  void AddToNode(Node* node, BailoutId id_after,
-                 OutputFrameStateCombine combine) {
+  void AddToNode(
+      Node* node, BailoutId id_after,
+      OutputFrameStateCombine combine = OutputFrameStateCombine::Ignore()) {
     int count = OperatorProperties::GetFrameStateInputCount(node->op());
     DCHECK_LE(count, 2);
 
     if (count >= 1) {
       // Add the frame state for after the operation.
       DCHECK_EQ(IrOpcode::kDead,
                 NodeProperties::GetFrameStateInput(node, 0)->opcode());
 
       Node* frame_state_after =
           id_after == BailoutId::None()
@@ skipping 1546 matching lines @@
   // (inclusive) and these elements gets appended to the array. Note that the
   // number elements an iterable produces is unknown ahead of time.
   environment()->Pop();  // Array literal index.
   for (; array_index < expr->values()->length(); array_index++) {
     Expression* subexpr = expr->values()->at(array_index);
     Node* array = environment()->Pop();
     Node* result;
 
     if (subexpr->IsSpread()) {
       VisitForValue(subexpr->AsSpread()->expression());
+      FrameStateBeforeAndAfter states(this,
+                                      subexpr->AsSpread()->expression()->id());
       Node* iterable = environment()->Pop();
       Node* function = BuildLoadNativeContextField(
           Context::CONCAT_ITERABLE_TO_ARRAY_BUILTIN_INDEX);
       result = NewNode(javascript()->CallFunction(3, NO_CALL_FUNCTION_FLAGS,
                                                   language_mode()),
                        function, array, iterable);
+      states.AddToNode(result, expr->GetIdForElement(array_index));
     } else {
       VisitForValue(subexpr);
       Node* value = environment()->Pop();
       const Operator* op =
           javascript()->CallRuntime(Runtime::kAppendElement, 2);
       result = NewNode(op, array, value);
+      PrepareFrameState(result, expr->GetIdForElement(array_index));
     }
 
-    PrepareFrameState(result, expr->GetIdForElement(array_index));
     environment()->Push(result);
   }
 
   ast_context()->ProduceValue(environment()->Pop());
 }
 
 
 void AstGraphBuilder::VisitForInAssignment(Expression* expr, Node* value,
                                            const VectorSlotPair& feedback,
                                            BailoutId bailout_id_before,
@@ skipping 492 matching lines @@
                       OutputFrameStateCombine::PokeAt(arg_count + 1));
 
     // Patch callee on the environment.
     environment()->Poke(arg_count + 1, new_callee);
   }
 
   // Create node to perform the function call.
   VectorSlotPair feedback = CreateVectorSlotPair(expr->CallFeedbackICSlot());
   const Operator* call = javascript()->CallFunction(
       args->length() + 2, flags, language_mode(), feedback, receiver_hint);
+  FrameStateBeforeAndAfter states(this, expr->CallId());
   Node* value = ProcessArguments(call, args->length() + 2);
   environment()->Push(value->InputAt(0));  // The callee passed to the call.
-  PrepareFrameState(value, expr->ReturnId(), OutputFrameStateCombine::Push());
+  states.AddToNode(value, expr->ReturnId(), OutputFrameStateCombine::Push());
   environment()->Drop(1);
   ast_context()->ProduceValue(value);
 }
 
 
 void AstGraphBuilder::VisitCallSuper(Call* expr) {
   SuperCallReference* super = expr->expression()->AsSuperCallReference();
   DCHECK_NOT_NULL(super);
 
   // Prepare the callee to the super call. The super constructor is stored as
@@ skipping 49 matching lines @@
   environment()->Push(callee_value);
   environment()->Push(receiver_value);
 
   // Evaluate all arguments to the JS runtime call.
   ZoneList<Expression*>* args = expr->arguments();
   VisitForValues(args);
 
   // Create node to perform the JS runtime call.
   const Operator* call =
       javascript()->CallFunction(args->length() + 2, flags, language_mode());
+  FrameStateBeforeAndAfter states(this, expr->CallId());
   Node* value = ProcessArguments(call, args->length() + 2);
-  PrepareFrameState(value, expr->id(), ast_context()->GetStateCombine());
+  states.AddToNode(value, expr->id(), ast_context()->GetStateCombine());
   ast_context()->ProduceValue(value);
 }
 
 
 void AstGraphBuilder::VisitCallRuntime(CallRuntime* expr) {
   // Handle calls to runtime functions implemented in JavaScript separately as
   // the call follows JavaScript ABI and the callee is statically unknown.
   if (expr->is_jsruntime()) {
     return VisitCallJSRuntime(expr);
   }
@@ skipping 1677 matching lines @@
     // Phi does not exist yet, introduce one.
     value = NewPhi(inputs, value, control);
     value->ReplaceInput(inputs - 1, other);
   }
   return value;
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8