[turbofan] Use ObjectIsReceiver directly for inlining.

Don't bother using %_IsJSReceiver, which immediately gets lowered to ObjectIsReceiver anyways (by the JSIntrinsicLowering), but requires some complicated rewiring of effect/control chains. R=mstarzinger@chromium.org BUG=chromium:640369 Review-Url: https://codereview.chromium.org/2271973003 Cr-Commit-Position: refs/heads/master@{#38864}
nodejs · Aug 24, 2016 · 6646d73 · 6646d73
1 parent ce13866
commit 6646d73
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 8 deletions.
diff --git a/src/compiler/js-inlining.cc b/src/compiler/js-inlining.cc
@@ -16,6 +16,7 @@
 #include "src/compiler/node-matchers.h"
 #include "src/compiler/node-properties.h"
 #include "src/compiler/operator-properties.h"
+#include "src/compiler/simplified-operator.h"
 #include "src/compiler/type-hint-analyzer.h"
 #include "src/isolate-inl.h"
 #include "src/parsing/parse-info.h"
@@ -435,20 +436,15 @@ Reduction JSInliner::ReduceJSCall(Node* node, Handle<JSFunction> function) {
       NodeProperties::ReplaceEffectInput(node, create);
       // Insert a check of the return value to determine whether the return
       // value or the implicit receiver should be selected as a result of the
-      // call. The check is wired into the successful control completion.
-      Node* success = graph()->NewNode(common()->IfSuccess(), node);
-      Node* check = graph()->NewNode(
-          javascript()->CallRuntime(Runtime::kInlineIsJSReceiver, 1), node,
-          context, node, success);
+      // call.
+      Node* check = graph()->NewNode(simplified()->ObjectIsReceiver(), node);
       Node* select =
           graph()->NewNode(common()->Select(MachineRepresentation::kTagged),
                            check, node, create);
-      NodeProperties::ReplaceUses(node, select, check, check, node);
+      NodeProperties::ReplaceUses(node, select, node, node, node);
       // Fix-up inputs that have been mangled by the {ReplaceUses} call above.
       NodeProperties::ReplaceValueInput(select, node, 1);  // Fix-up input.
       NodeProperties::ReplaceValueInput(check, node, 0);   // Fix-up input.
-      NodeProperties::ReplaceEffectInput(check, node);     // Fix-up input.
-      NodeProperties::ReplaceControlInput(success, node);  // Fix-up input.
       receiver = create;  // The implicit receiver.
     }
 
@@ -527,6 +523,10 @@ JSOperatorBuilder* JSInliner::javascript() const {
 
 CommonOperatorBuilder* JSInliner::common() const { return jsgraph()->common(); }
 
+SimplifiedOperatorBuilder* JSInliner::simplified() const {
+  return jsgraph()->simplified();
+}
+
 }  // namespace compiler
 }  // namespace internal
 }  // namespace v8
diff --git a/src/compiler/js-inlining.h b/src/compiler/js-inlining.h
@@ -38,6 +38,7 @@ class JSInliner final : public AdvancedReducer {
  private:
   CommonOperatorBuilder* common() const;
   JSOperatorBuilder* javascript() const;
+  SimplifiedOperatorBuilder* simplified() const;
   Graph* graph() const;
   JSGraph* jsgraph() const { return jsgraph_; }
 

diff --git a/test/mjsunit/regress/regress-crbug-640369.js b/test/mjsunit/regress/regress-crbug-640369.js
@@ -0,0 +1,15 @@
+// Copyright 2014 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function A() {
+  this.x = 0;
+  for (var i = 0; i < max; ) {}
+}
+function foo() {
+  for (var i = 0; i < 1; i = 2) %OptimizeOsr();
+  return new A();
+}
+try { foo(); } catch (e) { }