[compiler] fix FrameState revisit bug in escape analysis

tebbi · V8 LUCI CQ · commit 17da9e708330 · 2022-06-29T11:01:36.000Z
Bug: chromium:1340335, chromium:1315901 Change-Id: Ic348e8a66df098f64cf1893f83c145ac7bdb1ecb Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3732939 Reviewed-by: Maya Lekova <mslekova@chromium.org> Commit-Queue: Tobias Tebbi <tebbi@chromium.org> Auto-Submit: Tobias Tebbi <tebbi@chromium.org> Cr-Commit-Position: refs/heads/main@{#81434}
diff --git a/src/compiler/escape-analysis.cc b/src/compiler/escape-analysis.cc
@@ -78,6 +78,8 @@ class ReduceScope {
   explicit ReduceScope(Node* node, Reduction* reduction)
       : current_node_(node), reduction_(reduction) {}
 
+  void SetValueChanged() { reduction()->set_value_changed(); }
+
  protected:
   Node* current_node() const { return current_node_; }
   Reduction* reduction() { return reduction_; }
@@ -833,7 +835,9 @@ void ReduceNode(const Operator* op, EscapeAnalysisTracker::Scope* current,
       break;
     }
     case IrOpcode::kStateValues:
-      // These uses are always safe.
+      // We visit StateValue nodes through their correpsonding FrameState node,
+      // so we need to make sure we revisit the FrameState.
+      current->SetValueChanged();
       break;
     case IrOpcode::kFrameState: {
       // We mark the receiver as escaping due to the non-standard `.getThis`
