[compiler] Fix broken control chain in ArrayIterator lowering

DadaIsCrazy · V8 LUCI CQ · commit 2c3add17ffda · 2023-09-28T06:44:11.000Z
Fixed: chromium:1486342 Change-Id: Ie0f30d180c9545f073b161717226d37e68da3296 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4887041 Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Darius Mercadier <dmercadier@chromium.org> Auto-Submit: Darius Mercadier <dmercadier@chromium.org> Cr-Commit-Position: refs/heads/main@{#90164}
diff --git a/src/compiler/js-call-reducer.cc b/src/compiler/js-call-reducer.cc
@@ -6382,8 +6382,11 @@ Reduction JSCallReducer::ReduceArrayIterator(Node* node,
     }
   }
 
+  // JSCreateArrayIterator doesn't have control output, so we bypass the old
+  // JSCall node on the control chain.
+  ReplaceWithValue(node, node, node, control);
+
   // Morph the {node} into a JSCreateArrayIterator with the given {kind}.
-  RelaxControls(node);
   node->ReplaceInput(0, receiver);
   node->ReplaceInput(1, context);
   node->ReplaceInput(2, effect);
diff --git a/test/mjsunit/compiler/regress-crbug-1486342.js b/test/mjsunit/compiler/regress-crbug-1486342.js
@@ -0,0 +1,25 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --jit-fuzzing
+
+const o13 = {
+  "maxByteLength": 5368789,
+};
+const v14 = new ArrayBuffer(129, o13);
+const v16 = new Uint16Array(v14);
+
+function f3(param) {
+  for (let i = 0; i < 5; i++) {
+    try {"resize".includes(v14); } catch (e) {}
+    v14.resize(3.0, ..."resize", ...v16);
+  }
+
+  let f = function() { return param; }
+}
+
+%PrepareFunctionForOptimization(f3);
+f3();
+%OptimizeFunctionOnNextCall(f3);
+f3();

Original file line number	Diff line number	Diff line change
`@@ -6382,8 +6382,11 @@ Reduction JSCallReducer::ReduceArrayIterator(Node* node,`
`6382`	`6382`	`}`
`6383`	`6383`	`}`
`6384`	`6384`
	`6385`	`+ // JSCreateArrayIterator doesn't have control output, so we bypass the old`
	`6386`	`+ // JSCall node on the control chain.`
	`6387`	`+ ReplaceWithValue(node, node, node, control);`
	`6388`	`+`
`6385`	`6389`	`// Morph the {node} into a JSCreateArrayIterator with the given {kind}.`
`6386`		`- RelaxControls(node);`
`6387`	`6390`	`node->ReplaceInput(0, receiver);`
`6388`	`6391`	`node->ReplaceInput(1, context);`
`6389`	`6392`	`node->ReplaceInput(2, effect);`