[turbofan] Properly deal with out-of-bounds fields in EscapeAnalysis.

src/compiler/escape-analysis.cc

 // Copyright 2015 the V8 project authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "src/compiler/escape-analysis.h"
 
 #include <limits>
 
 #include "src/base/flags.h"
 #include "src/bootstrapper.h"
@@ skipping 1381 matching lines @@
 }
 
 void EscapeAnalysis::ProcessLoadField(Node* node) {
   DCHECK_EQ(node->opcode(), IrOpcode::kLoadField);
   ForwardVirtualState(node);
   Node* from = ResolveReplacement(NodeProperties::GetValueInput(node, 0));
   VirtualState* state = virtual_states_[node->id()];
   if (VirtualObject* object = GetVirtualObject(state, from)) {
     if (!object->IsTracked()) return;
     int offset = OffsetForFieldAccess(node);
-    if (static_cast<size_t>(offset) >= object->field_count()) return;
+    if (static_cast<size_t>(offset) >= object->field_count()) {
+      // We have a load from a field that is not inside the {object}. This
+      // can only happen with conflicting type feedback and for dead {node}s.
+      // For now, we just mark the {object} as escaping.
+      // TODO(turbofan): Consider introducing an Undefined or None operator
+      // that we can replace this load with, since we know it's dead code.
+      if (status_analysis_->SetEscaped(from)) {
+        TRACE(
+            "Setting #%d (%s) to escaped because load field #%d from "
+            "offset %d outside of object\n",
+            from->id(), from->op()->mnemonic(), node->id(), offset);
+      }
+      return;
+    }
     Node* value = object->GetField(offset);
     if (value) {
       value = ResolveReplacement(value);
     }
     // Record that the load has this alias.
     UpdateReplacement(state, node, value);
   } else if (from->opcode() == IrOpcode::kPhi &&
              FieldAccessOf(node->op()).offset % kPointerSize == 0) {
     int offset = OffsetForFieldAccess(node);
     // Only binary phis are supported for now.
@@ skipping 44 matching lines @@
 }
 
 void EscapeAnalysis::ProcessStoreField(Node* node) {
   DCHECK_EQ(node->opcode(), IrOpcode::kStoreField);
   ForwardVirtualState(node);
   Node* to = ResolveReplacement(NodeProperties::GetValueInput(node, 0));
   VirtualState* state = virtual_states_[node->id()];
   if (VirtualObject* object = GetVirtualObject(state, to)) {
     if (!object->IsTracked()) return;
     int offset = OffsetForFieldAccess(node);
-    if (static_cast<size_t>(offset) >= object->field_count()) return;
+    if (static_cast<size_t>(offset) >= object->field_count()) {
+      // We have a store to a field that is not inside the {object}. This
+      // can only happen with conflicting type feedback and for dead {node}s.
+      // For now, we just mark the {object} as escaping.
+      // TODO(turbofan): Consider just eliminating the store in the reducer
+      // pass, as it's dead code anyways.
+      if (status_analysis_->SetEscaped(to)) {
+        TRACE(
+            "Setting #%d (%s) to escaped because store field #%d to "
+            "offset %d outside of object\n",
+            to->id(), to->op()->mnemonic(), node->id(), offset);
+      }
+      return;
+    }
     Node* val = ResolveReplacement(NodeProperties::GetValueInput(node, 1));
     // TODO(mstarzinger): The following is a workaround to not track some well
     // known raw fields. We only ever store default initial values into these
     // fields which are hard-coded in {TranslatedState::MaterializeAt} as well.
     if (val->opcode() == IrOpcode::kInt32Constant ||
         val->opcode() == IrOpcode::kInt64Constant) {
       DCHECK(FieldAccessOf(node->op()).offset == JSFunction::kCodeEntryOffset ||
              FieldAccessOf(node->op()).offset == Name::kHashFieldOffset);
       val = slot_not_analyzed_;
     }
@@ skipping 158 matching lines @@
     }
   }
   return false;
 }
 
 Graph* EscapeAnalysis::graph() const { return status_analysis_->graph(); }
 
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8