[compiler] Don't assume a HeapConstant context input is a Context.

GeorgNeis · Commit Bot · commit 649ab060c05b · 2017-12-15T13:47:14.000Z
In a generator containing loops, there are always certain control flow paths that are impossible, due to the way we represent generators at the bytecode level. Unfortunately, the graph builder can't tell that these paths are impossible. In combination with dead code, it can then happen that we build a subgraph (for unreachable code) whose incoming context is the undefined oddball. JSContextSpecialization did not expect that. Bug: chromium:794822 Change-Id: I259be5ae6c5f5adc8fca19c64bf71285ee922b7a Reviewed-on: https://chromium-review.googlesource.com/828954 Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#50129}
diff --git a/src/compiler/js-context-specialization.cc b/src/compiler/js-context-specialization.cc
@@ -102,8 +102,11 @@ bool IsContextParameter(Node* node) {
 MaybeHandle<Context> GetSpecializationContext(Node* node, size_t* distance,
                                               Maybe<OuterContext> maybe_outer) {
   switch (node->opcode()) {
-    case IrOpcode::kHeapConstant:
-      return Handle<Context>::cast(OpParameter<Handle<HeapObject>>(node));
+    case IrOpcode::kHeapConstant: {
+      Handle<Object> object = OpParameter<Handle<HeapObject>>(node);
+      if (object->IsContext()) return Handle<Context>::cast(object);
+      break;
+    }
     case IrOpcode::kParameter: {
       OuterContext outer;
       if (maybe_outer.To(&outer) && IsContextParameter(node) &&
diff --git a/test/mjsunit/regress/regress-794822.js b/test/mjsunit/regress/regress-794822.js
@@ -0,0 +1,19 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function* opt(arg = () => arg) {
+  let tmp = opt.x;  // LdaNamedProperty
+  for (;;) {
+    arg;
+    yield;
+    function inner() { tmp }
+    break;
+  }
+}
+
+opt();
+%OptimizeFunctionOnNextCall(opt);
+opt();
