[turbofan] Disable bogus lowering of builtin tail-calls.

src/compiler/js-typed-lowering.cc

 // Copyright 2014 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/js-typed-lowering.h"
 
 #include "src/builtins/builtins-utils.h"
 #include "src/code-factory.h"
 #include "src/compilation-dependencies.h"
 #include "src/compiler/access-builder.h"
@@ skipping 1654 matching lines @@
   // -- 2 + n + 3: the C entry point
   // -- 2 + n + 4: argc (Int32)
   // -----------------------------------
 
   // The logic contained here is mirrored in Builtins::Generate_Adaptor.
   // Keep these in sync.
 
   const bool is_construct = (node->opcode() == IrOpcode::kJSCallConstruct);
 
   DCHECK(Builtins::HasCppImplementation(builtin_index));
+  DCHECK_EQ(0, flags & CallDescriptor::kSupportsTailCalls);
 
   Node* target = NodeProperties::GetValueInput(node, 0);
   Node* new_target = is_construct
                          ? NodeProperties::GetValueInput(node, arity + 1)
                          : jsgraph->UndefinedConstant();
 
   // API and CPP builtins are implemented in C++, and we can inline both.
   // CPP builtins create a builtin exit frame, API builtins don't.
   const bool has_builtin_exit_frame = Builtins::IsCpp(builtin_index);
 
@@ skipping 56 matching lines @@
 
   // Check if {target} is a known JSFunction.
   if (target_type->IsHeapConstant() &&
       target_type->AsHeapConstant()->Value()->IsJSFunction()) {
     Handle<JSFunction> function =
         Handle<JSFunction>::cast(target_type->AsHeapConstant()->Value());
     Handle<SharedFunctionInfo> shared(function->shared(), isolate());
     const int builtin_index = shared->construct_stub()->builtin_index();
     const bool is_builtin = (builtin_index != -1);
 
     CallDescriptor::Flags flags = CallDescriptor::kNeedsFrameState;

[Michael Starzinger, 2016/10/26 11:35:54]

Flags are set unconditionally to not do tail calls here.

 
     if (is_builtin && Builtins::HasCppImplementation(builtin_index) &&
         !NeedsArgumentAdaptorFrame(shared, arity)) {
       // Patch {node} to a direct CEntryStub call.
 
       // Load the context from the {target}.
       Node* context = effect = graph()->NewNode(
           simplified()->LoadField(AccessBuilder::ForJSFunctionContext()),
           target, effect, control);
       NodeProperties::ReplaceContextInput(node, context);
@@ skipping 108 matching lines @@
                         jsgraph()->HeapConstant(callable.code()));
       node->InsertInput(graph()->zone(), 2, new_target);
       node->InsertInput(graph()->zone(), 3, argument_count);
       node->InsertInput(
           graph()->zone(), 4,
           jsgraph()->Int32Constant(shared->internal_formal_parameter_count()));
       NodeProperties::ChangeOp(
           node, common()->Call(Linkage::GetStubCallDescriptor(
                     isolate(), graph()->zone(), callable.descriptor(),
                     1 + arity, flags)));
-    } else if (is_builtin && Builtins::HasCppImplementation(builtin_index)) {
+    } else if (is_builtin && Builtins::HasCppImplementation(builtin_index) &&

[jgruber, 2016/10/26 11:22:59]

ReduceBuiltin is also called from ReduceJSCallConstruct, should the same check
be added there?

[Michael Starzinger, 2016/10/26 11:35:54]

Acknowledged. Constructor calls cannot be in tail-call position (even when they
syntactically appear as "return new f()" in the code) because the constructor
call chooses the actual return value based on an instance check. This work is
done by the construct stub (which has it's own frame) after the function
returns. This is one of the reasons why constructor calls are not considered
tail-calls by the ECMAScript spec:

http://www.ecma-international.org/ecma-262/6.0/#sec-tail-position-calls

+               ((flags & CallDescriptor::kSupportsTailCalls) == 0)) {
       // Patch {node} to a direct CEntryStub call.
       ReduceBuiltin(isolate(), jsgraph(), node, builtin_index, arity, flags);
     } else {
       // Patch {node} to a direct call.
       node->InsertInput(graph()->zone(), arity + 2, new_target);
       node->InsertInput(graph()->zone(), arity + 3, argument_count);
       NodeProperties::ChangeOp(node,
                                common()->Call(Linkage::GetJSCallDescriptor(
                                    graph()->zone(), false, 1 + arity, flags)));
     }
@@ skipping 277 matching lines @@
 }
 
 
 CompilationDependencies* JSTypedLowering::dependencies() const {
   return dependencies_;
 }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8