Skip to content

Commit df98901

Browse files
mythrialleCommit Bot
mythrialle
authored and
Commit Bot
committed
[interpreter] Store accumulator to callee after optional chain checks
Optional chain checks check if the object is null or undefined and if it is we don't perform the load but just load accumulator with undefined. For calls the value of the accumulator needs to be stored in the callee register. We were doing this only when the object isn't null or undefined. This cl fixes it by storing it to callee always. Bug: chromium:1171954 Change-Id: I391af18e783486fed70be561027bd8aba97b93cc Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2665466 Commit-Queue: Mythri Alle <[email protected]> Reviewed-by: Shu-yu Guo <[email protected]> Cr-Commit-Position: refs/heads/master@{#72475}
1 parent 98653d0 commit df98901

3 files changed

Lines changed: 24 additions & 4 deletions

File tree

src/interpreter/bytecode-generator.cc

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5043,8 +5043,9 @@ void BytecodeGenerator::VisitCall(Call* expr) {
50435043
Property* property = chain->expression()->AsProperty();
50445044
BuildOptionalChain([&]() {
50455045
VisitAndPushIntoRegisterList(property->obj(), &args);
5046-
VisitPropertyLoadForRegister(args.last_register(), property, callee);
5046+
VisitPropertyLoad(args.last_register(), property);
50475047
});
5048+
builder()->StoreAccumulatorInRegister(callee);
50485049
break;
50495050
}
50505051
case Call::SUPER_CALL:

test/mjsunit/regress/regress-crbug-1038178.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ function opt(){
1515
(((function(){})())?.v)()
1616
}
1717
%PrepareFunctionForOptimization(opt)
18-
assertThrows(opt());
19-
assertThrows(opt());
18+
assertThrows(() => opt());
19+
assertThrows(() => opt());
2020
%OptimizeFunctionOnNextCall(opt)
21-
assertThrows(opt());
21+
assertThrows(() => opt());

test/mjsunit/regress/regress-crbug-1171954.js

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
// Copyright 2021 the V8 project authors. All rights reserved.
2+
// Use of this source code is governed by a BSD-style license that can be
3+
// found in the LICENSE file.
4+
5+
// Flags: --always-opt
6+
7+
// This causes the register used by the call in the later try-catch block to be
8+
// used by the ToName conversion for null which causes a DCHECK fail when
9+
// compiling. If register allocation changes, this test may no longer reproduce
10+
// the crash but it is not easy write a proper test because it is linked to
11+
// register allocation. This test should always work, so shouldn't cause any
12+
// flakes.
13+
try {
14+
var { [null]: __v_12, } = {};
15+
} catch (e) {}
16+
17+
try {
18+
assertEquals((__v_40?.o?.m)().p);
19+
} catch (e) {}

0 commit comments

Comments
 (0)