[turbofan] Fix missing bailout point before calls.

src/compiler/js-inlining.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-inlining.h"
 
 #include "src/ast.h"
 #include "src/ast-numbering.h"
 #include "src/compiler.h"
 #include "src/compiler/all-nodes.h"
@@ skipping 38 matching lines @@
     return call_->InputAt(static_cast<int>(2 + index));
   }
 
   size_t formal_arguments() {
     // {value_inputs} includes jsfunction and receiver.
     size_t value_inputs = call_->op()->ValueInputCount();
     DCHECK_GE(call_->InputCount(), 2);
     return value_inputs - 2;
   }
 
-  Node* frame_state() { return NodeProperties::GetFrameStateInput(call_, 0); }
+  Node* frame_state_before() {
+    return NodeProperties::GetFrameStateInput(call_, 1);
+  }
+  Node* frame_state_after() {
+    return NodeProperties::GetFrameStateInput(call_, 0);
+  }
 
  private:
   Node* call_;
 };
 
 
 class CopyVisitor {
  public:
   CopyVisitor(Graph* source_graph, Graph* target_graph, Zone* temp_zone)
       : sentinel_op_(IrOpcode::kDead, Operator::kNoProperties, "Sentinel", 0, 0,
@@ skipping 160 matching lines @@
   Node* node0 = jsgraph_->graph()->NewNode(op0);
   NodeVector params(local_zone_);
   params.push_back(call->receiver());
   for (size_t argument = 0; argument != call->formal_arguments(); ++argument) {
     params.push_back(call->formal_argument(argument));
   }
   const Operator* op_param =
       jsgraph_->common()->StateValues(static_cast<int>(params.size()));
   Node* params_node = jsgraph_->graph()->NewNode(
       op_param, static_cast<int>(params.size()), &params.front());
-  return jsgraph_->graph()->NewNode(op, params_node, node0, node0,
-                                    jsgraph_->UndefinedConstant(),
-                                    call->jsfunction(), call->frame_state());
+  return jsgraph_->graph()->NewNode(
+      op, params_node, node0, node0, jsgraph_->UndefinedConstant(),
+      call->jsfunction(), call->frame_state_after());
 }
 
 
 Reduction JSInliner::Reduce(Node* node) {
   if (node->opcode() != IrOpcode::kJSCallFunction) return NoChange();
 
   JSCallFunctionAccessor call(node);
   HeapObjectMatcher match(call.jsfunction());
   if (!match.HasValue() || !match.Value()->IsJSFunction()) return NoChange();
   Handle<JSFunction> function = Handle<JSFunction>::cast(match.Value());
@@ skipping 35 matching lines @@
       info_->context()->native_context()) {
     TRACE("Not inlining %s into %s because of different native contexts\n",
           function->shared()->DebugName()->ToCString().get(),
           info_->shared_info()->DebugName()->ToCString().get());
     return NoChange();
   }
 
   // TODO(turbofan): TranslatedState::GetAdaptedArguments() currently relies on
   // not inlining recursive functions. We might want to relax that at some
   // point.
-  for (Node* frame_state = call.frame_state();
+  for (Node* frame_state = call.frame_state_after();
        frame_state->opcode() == IrOpcode::kFrameState;
        frame_state = frame_state->InputAt(kFrameStateOuterStateInput)) {
     FrameStateInfo const& info = OpParameter<FrameStateInfo>(frame_state);
     Handle<SharedFunctionInfo> shared_info;
     if (info.shared_info().ToHandle(&shared_info) &&
         *shared_info == function->shared()) {
       TRACE("Not inlining %s into %s because call is recursive\n",
             function->shared()->DebugName()->ToCString().get(),
             info_->shared_info()->DebugName()->ToCString().get());
       return NoChange();
@@ skipping 93 matching lines @@
   // TODO(turbofan): We might want to load the context from the JSFunction at
   // runtime in case we only know the SharedFunctionInfo once we have dynamic
   // type feedback in the compiler.
   Node* context = jsgraph_->Constant(handle(function->context()));
 
   CopyVisitor visitor(&graph, jsgraph_->graph(), &zone);
   visitor.CopyGraph();
 
   Node* start = visitor.GetCopy(graph.start());
   Node* end = visitor.GetCopy(graph.end());
-  Node* frame_state = call.frame_state();
+  Node* frame_state = call.frame_state_after();
+
+  // Insert a JSConvertReceiver node for sloppy callees. Note that the context
+  // passed into this node has to be the callees context (loaded above). Note
+  // that the frame state passed to the JSConvertReceiver must be the frame
+  // state _before_ the call; it is not necessary to fiddle with the receiver
+  // in that frame state tho, as the conversion of the receiver can be repeated
+  // any number of times, it's not observable.
+  if (is_sloppy(info.language_mode()) && !function->shared()->native()) {
+    const CallFunctionParameters& p = CallFunctionParametersOf(node->op());
+    Node* effect = NodeProperties::GetEffectInput(node);
+    Node* convert = jsgraph_->graph()->NewNode(
+        jsgraph_->javascript()->ConvertReceiver(p.convert_mode()),
+        call.receiver(), context, call.frame_state_before(), effect, start);
+    NodeProperties::ReplaceValueInput(node, convert, 1);
+    NodeProperties::ReplaceEffectInput(node, convert);
+  }
 
   // Insert argument adaptor frame if required. The callees formal parameter
   // count (i.e. value outputs of start node minus target, receiver & context)
   // have to match the number of arguments passed to the call.
   DCHECK_EQ(static_cast<int>(parameter_count),
             start->op()->ValueOutputCount() - 3);
   if (call.formal_arguments() != parameter_count) {
     frame_state = CreateArgumentsAdaptorFrameState(&call, info.shared_info());
   }
 
-  // Insert a JSConvertReceiver node for sloppy callees. Note that the context
-  // passed into this node has to be the callees context (loaded above).
-  if (is_sloppy(info.language_mode()) && !function->shared()->native()) {
-    const CallFunctionParameters& p = CallFunctionParametersOf(node->op());
-    Node* effect = NodeProperties::GetEffectInput(node);
-    Node* convert = jsgraph_->graph()->NewNode(
-        jsgraph_->javascript()->ConvertReceiver(p.convert_mode()),
-        call.receiver(), context, frame_state, effect, start);
-    NodeProperties::ReplaceValueInput(node, convert, 1);
-    NodeProperties::ReplaceEffectInput(node, convert);
-  }
-
   return InlineCall(node, context, frame_state, start, end);
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8