[maglev] Check value before inlining Object builtin

victorgomes · V8 LUCI CQ · commit dc03a6debd4e · 2024-09-03T09:27:50.000Z
Fixed: 363983041 Change-Id: I9b8520518a8bc6fde740cdced5c23e62c159b832 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5833384 Commit-Queue: Victor Gomes <victorgomes@chromium.org> Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Patrick Thier <pthier@chromium.org> Reviewed-by: Patrick Thier <pthier@chromium.org> Cr-Commit-Position: refs/heads/main@{#95924}
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -10292,7 +10292,8 @@ ReduceResult MaglevGraphBuilder::TryReduceConstructArrayConstructor(
 
 ReduceResult MaglevGraphBuilder::TryReduceConstructBuiltin(
     compiler::JSFunctionRef builtin,
-    compiler::SharedFunctionInfoRef shared_function_info, CallArguments& args) {
+    compiler::SharedFunctionInfoRef shared_function_info, ValueNode* target,
+    CallArguments& args) {
   // TODO(victorgomes): specialize more known constants builtin targets.
   switch (shared_function_info.builtin_id()) {
     case Builtin::kArrayConstructor: {
@@ -10303,6 +10304,7 @@ ReduceResult MaglevGraphBuilder::TryReduceConstructBuiltin(
       // If no value is passed, we can immediately lower to a simple
       // constructor.
       if (args.count() == 0) {
+        RETURN_IF_ABORT(BuildCheckValue(target, builtin));
         ValueNode* result = BuildInlinedAllocation(CreateJSConstructor(builtin),
                                                    AllocationType::kYoung);
         // TODO(leszeks): Don't eagerly clear the raw allocation, have the
@@ -10432,8 +10434,8 @@ ReduceResult MaglevGraphBuilder::TryReduceConstruct(
   }
 
   if (shared_function_info.HasBuiltinId()) {
-    RETURN_IF_DONE(
-        TryReduceConstructBuiltin(function, shared_function_info, args));
+    RETURN_IF_DONE(TryReduceConstructBuiltin(function, shared_function_info,
+                                             target, args));
   }
 
   if (shared_function_info.construct_as_builtin()) {
diff --git a/src/maglev/maglev-graph-builder.h b/src/maglev/maglev-graph-builder.h
@@ -2056,7 +2056,7 @@ class MaglevGraphBuilder {
       compiler::OptionalAllocationSiteRef maybe_allocation_site = {});
   ReduceResult TryReduceConstructBuiltin(
       compiler::JSFunctionRef builtin,
-      compiler::SharedFunctionInfoRef shared_function_info,
+      compiler::SharedFunctionInfoRef shared_function_info, ValueNode* target,
       CallArguments& args);
   ReduceResult TryReduceConstructGeneric(
       compiler::JSFunctionRef function,
diff --git a/test/mjsunit/maglev/regress-363983041.js b/test/mjsunit/maglev/regress-363983041.js
@@ -0,0 +1,14 @@
+// Copyright 2024 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax
+
+function foo(x) {
+  return new x();
+}
+
+%PrepareFunctionForOptimization(foo);
+foo(Object);
+%OptimizeFunctionOnNextCall(foo);
+assertThrows(foo, TypeError);
