Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(104)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: src/compiler/js-typed-lowering.cc

Issue 1447323005: Fix argument allocation dangling effect chains (Closed) Base URL: https://chromium.googlesource.com/v8/v8.git@master
Patch Set: Remove out parameters Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: src/compiler/js-typed-lowering.cc
diff --git a/src/compiler/js-typed-lowering.cc b/src/compiler/js-typed-lowering.cc
index c925081f4109e30bd5768dcafb39fd8d9960f8bc..22ea5558f30b2503d521aa12d5a03abffa457b65 100644
--- a/src/compiler/js-typed-lowering.cc
+++ b/src/compiler/js-typed-lowering.cc
@@ -1469,6 +1469,8 @@ Reduction JSTypedLowering::ReduceJSCreateArguments(Node* node) {
bool has_aliased_arguments = false;
Node* const elements = AllocateAliasedArguments(
effect, control, args_state, context, shared, &has_aliased_arguments);
+ Node* allocate_effect =
+ elements->op()->EffectOutputCount() > 0 ? elements : effect;
// Load the arguments object map from the current native context.
Node* const load_global_object = graph()->NewNode(
simplified()->LoadField(
@@ -1484,7 +1486,7 @@ Reduction JSTypedLowering::ReduceJSCreateArguments(Node* node) {
: Context::SLOPPY_ARGUMENTS_MAP_INDEX)),
load_native_context, effect, control);
// Actually allocate and initialize the arguments object.
- AllocationBuilder a(jsgraph(), effect, control);
+ AllocationBuilder a(jsgraph(), allocate_effect, control);
Node* properties = jsgraph()->EmptyFixedArrayConstant();
int length = args_state_info.parameter_count() - 1; // Minus receiver.
STATIC_ASSERT(Heap::kSloppyArgumentsObjectSize == 5 * kPointerSize);
@@ -1512,6 +1514,8 @@ Reduction JSTypedLowering::ReduceJSCreateArguments(Node* node) {
FrameStateInfo args_state_info = OpParameter<FrameStateInfo>(args_state);
// Prepare element backing store to be used by arguments object.
Node* const elements = AllocateArguments(effect, control, args_state);
+ Node* allocate_effect =
+ elements->op()->EffectOutputCount() > 0 ? elements : effect;
// Load the arguments object map from the current native context.
Node* const load_global_object = graph()->NewNode(
simplified()->LoadField(
@@ -1526,7 +1530,7 @@ Reduction JSTypedLowering::ReduceJSCreateArguments(Node* node) {
AccessBuilder::ForContextSlot(Context::STRICT_ARGUMENTS_MAP_INDEX)),
load_native_context, effect, control);
// Actually allocate and initialize the arguments object.
- AllocationBuilder a(jsgraph(), effect, control);
+ AllocationBuilder a(jsgraph(), allocate_effect, control);
Node* properties = jsgraph()->EmptyFixedArrayConstant();
int length = args_state_info.parameter_count() - 1; // Minus receiver.
STATIC_ASSERT(Heap::kStrictArgumentsObjectSize == 4 * kPointerSize);
@@ -2345,7 +2349,7 @@ Node* JSTypedLowering::AllocateAliasedArguments(
Node* arguments = aa.Finish();
// Actually allocate the backing store.
- AllocationBuilder a(jsgraph(), effect, control);
+ AllocationBuilder a(jsgraph(), arguments, control);
a.AllocateArray(mapped_count + 2, factory()->sloppy_arguments_elements_map());
a.Store(AccessBuilder::ForFixedArraySlot(0), context);
a.Store(AccessBuilder::ForFixedArraySlot(1), arguments);
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698