[turbofan] Fix TransitionElementsKindOrCheckMap

marjakh · V8 LUCI CQ · commit 8b490a9690b8 · 2025-03-04T06:09:01.000-08:00
Take into account that TransitionElementsKindOrCheckMap might change the map of an aliasing object. h/t dmercadier@ for figuring out the fix. Bug: 400052777 Change-Id: I07ac56058591619736dcc2d8f7355a7a34ecbbc7 Fixed: 400052777 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6321930 Reviewed-by: Darius Mercadier <dmercadier@chromium.org> Commit-Queue: Marja Hölttä <marja@chromium.org> Cr-Commit-Position: refs/heads/main@{#99049}
diff --git a/src/compiler/node-properties.cc b/src/compiler/node-properties.cc
@@ -458,6 +458,9 @@ NodeProperties::InferMapsResult NodeProperties::InferMapsUnsafe(
               ElementsTransitionWithMultipleSourcesOf(effect->op()).target()};
           return result;
         }
+        // `receiver` and `object` might alias, so
+        // TransitionElementsKindOrCheckMaps might change receiver's map.
+        result = kUnreliableMaps;
         break;
       }
       case IrOpcode::kJSCreate: {
diff --git a/test/mjsunit/compiler/regress-400052777.js b/test/mjsunit/compiler/regress-400052777.js
@@ -0,0 +1,31 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbofan --no-always-turbofan
+
+function main() {
+  function f0(v2, v3) {
+    // TransitionElementsKindOrCheckMap: PACKED_SMI -> HOLEY_DOUBLE_ELEMENTS
+    var v4 = v3[0];
+
+    // TransitionElementsKindOrCheckMap: HOLEY_DOUBLE_ELEMENTS -> HOLEY_ELEMENTS
+    var v5 = v2[0];
+
+    // If v2 == v3, v3 doesn't have HOLEY_DOUBLE_ELEMENTS anymore.
+    Array.prototype.indexOf.call(v3);
+  }
+  %PrepareFunctionForOptimization(f0);
+
+  const holey = new Array(1);
+  holey[0] = 'tagged'; // HOLEY_ELEMENTS
+  f0(holey, [1]);
+
+  const holey_double = new Array(1);
+  holey_double[0] = 0.1; // HOLEY_DOUBLE_ELEMENTS
+
+  %OptimizeFunctionOnNextCall(f0);
+  f0(holey_double, holey_double);
+}
+main();
+main();

Original file line number	Diff line number	Diff line change
`@@ -458,6 +458,9 @@ NodeProperties::InferMapsResult NodeProperties::InferMapsUnsafe(`
`458`	`458`	`ElementsTransitionWithMultipleSourcesOf(effect->op()).target()};`
`459`	`459`	`return result;`
`460`	`460`	`}`
	`461`	+ // `receiver` and `object` might alias, so
	`462`	`+ // TransitionElementsKindOrCheckMaps might change receiver's map.`
	`463`	`+ result = kUnreliableMaps;`
`461`	`464`	`break;`
`462`	`465`	`}`
`463`	`466`	`case IrOpcode::kJSCreate: {`