[maglev] fix receiver location in regalloc for inlined functions

DadaIsCrazy · V8 LUCI CQ · commit 10f09c40188e · 2025-09-29T05:05:28.000-07:00
Fixed: 447658917 Change-Id: I3ba1cf632d79bde4b8afe5dc954be95b98657c19 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6994738 Commit-Queue: Darius Mercadier <dmercadier@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Auto-Submit: Darius Mercadier <dmercadier@chromium.org> Cr-Commit-Position: refs/heads/main@{#102826}
diff --git a/src/maglev/maglev-basic-block.h b/src/maglev/maglev-basic-block.h
@@ -262,6 +262,7 @@ class BasicBlock {
   bool is_exception_handler_block() const {
     return has_state() && state_->is_exception_handler();
   }
+  bool is_inline() const { return has_state() && state_->is_inline(); }
 
   // If the basic block is an empty (unnecessary) block containing only an
   // unconditional jump to the successor block, return the successor block.
diff --git a/src/maglev/maglev-interpreter-frame-state.cc b/src/maglev/maglev-interpreter-frame-state.cc
@@ -148,7 +148,8 @@ MergePointInterpreterFrameState::MergePointInterpreterFrameState(
     : merge_offset_(merge_offset),
       predecessor_count_(predecessor_count),
       predecessors_so_far_(predecessors_so_far),
-      bitfield_(kBasicBlockTypeBits::encode(type)),
+      bitfield_(kBasicBlockTypeBits::encode(type) |
+                kIsInline::encode(info.is_inline())),
       predecessors_(predecessors),
       frame_state_(info, liveness),
       per_predecessor_alternatives_(
diff --git a/src/maglev/maglev-interpreter-frame-state.h b/src/maglev/maglev-interpreter-frame-state.h
@@ -465,6 +465,8 @@ class MergePointInterpreterFrameState {
            basic_block_type() == BasicBlockType::kUnusedExceptionHandlerStart;
   }
 
+  bool is_inline() const { return kIsInline::decode(bitfield_); }
+
   bool is_unmerged_loop() const {
     // If this is a loop and not all predecessors are set, then the loop isn't
     // merged yet.
@@ -518,6 +520,7 @@ class MergePointInterpreterFrameState {
   using kBasicBlockTypeBits = base::BitField<BasicBlockType, 0, 2>;
   using kIsResumableLoopBit = kBasicBlockTypeBits::Next<bool, 1>;
   using kIsLoopWithPeeledIterationBit = kIsResumableLoopBit::Next<bool, 1>;
+  using kIsInline = kIsLoopWithPeeledIterationBit::Next<bool, 1>;
 
   // For each non-Phi value in the frame state, store its alternative
   // representations to avoid re-converting on Phi creation.
diff --git a/src/maglev/maglev-regalloc.cc b/src/maglev/maglev-regalloc.cc
@@ -520,17 +520,17 @@ void StraightForwardRegisterAllocator::AllocateRegisters() {
               }
             }
           } else if (phi->owner().is_parameter() &&
-                     phi->owner().is_receiver()) {
+                     phi->owner().is_receiver() && !block->is_inline()) {
             // The receiver is a special case for a fairly silly reason:
             // OptimizedJSFrame::Summarize requires the receiver (and the
             // function) to be in a stack slot, since its value must be
             // available even though we're not deoptimizing (and thus register
             // states are not available).
             //
-            // TODO(leszeks):
-            // For inlined functions / nested graph generation, this a) doesn't
-            // work (there's no receiver stack slot); and b) isn't necessary
-            // (Summarize only looks at noninlined functions).
+            // Note that this is skipped for inlined functions / nested graph
+            // generation, since this a) wouldn't work (there's no receiver
+            // stack slot); and b) isn't necessary (Summarize only looks at
+            // noninlined functions).
             phi->regalloc_info()->Spill(compiler::AllocatedOperand(
                 compiler::AllocatedOperand::STACK_SLOT,
                 MachineRepresentation::kTagged,
diff --git a/test/mjsunit/maglev/regress-447658917.js b/test/mjsunit/maglev/regress-447658917.js
@@ -0,0 +1,55 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+(function () {
+  const handler = {
+    get: function () {
+      return __dummy;
+    }
+  };
+  __dummy = new Proxy(function () {
+  }, handler);
+  Object.freeze(__dummy);
+})();
+
+function __wrapTC() {
+  return __dummy;
+}
+
+
+let caught = 0;
+
+class C1 {
+  constructor(x) {
+    return x;
+  }
+}
+class C2 extends C1 {
+  field = (() => {})();
+  constructor(x) {
+    try {
+      super(x);
+    } catch (e) {
+    }
+  }
+}
+function foo() {
+  let x = __wrapTC();
+  new C2(x);
+  try {
+    this.test();
+  } catch (e) {
+    return 42;
+  }
+}
+
+%PrepareFunctionForOptimization(foo);
+%PrepareFunctionForOptimization(C2);
+assertEquals(42, foo());
+assertEquals(42, foo());
+
+%OptimizeMaglevOnNextCall(foo);
+assertEquals(42, foo());

Original file line number	Diff line number	Diff line change
`@@ -262,6 +262,7 @@ class BasicBlock {`
`262`	`262`	`bool is_exception_handler_block() const {`
`263`	`263`	`return has_state() && state_->is_exception_handler();`
`264`	`264`	`}`
	`265`	`+ bool is_inline() const { return has_state() && state_->is_inline(); }`
`265`	`266`
`266`	`267`	`// If the basic block is an empty (unnecessary) block containing only an`
`267`	`268`	`// unconditional jump to the successor block, return the successor block.`