[turbofan] Fix JSInliner to handle non-returning bodies.

The assumption that every function body produces a value does not hold
for functions that e.g. unconditionally throw or endlessly loop. This
fixes the inlining logic to handle such cases.

R=bmeurer@chromium.org
TEST=mjsunit/regress/regress-crbug-530598
BUG=chromium:530598
LOG=n

Review URL: https://codereview.chromium.org/1333193005

Cr-Commit-Position: refs/heads/master@{#30738}

diff --git a/src/compiler/js-inlining.cc b/src/compiler/js-inlining.cc
index d676c9e..8e98547 100644 (file)
--- a/src/compiler/js-inlining.cc
+++ b/src/compiler/js-inlining.cc
@@ -189,24 +189,29 @@ Reduction JSInliner::InlineCall(Node* call, Node* context, Node* frame_state,
         break;
     }
   }
-  DCHECK_NE(0u, values.size());
   DCHECK_EQ(values.size(), effects.size());
   DCHECK_EQ(values.size(), controls.size());
-  int const input_count = static_cast<int>(controls.size());
-  Node* control_output = jsgraph_->graph()->NewNode(
-      jsgraph_->common()->Merge(input_count), input_count, &controls.front());
-  values.push_back(control_output);
-  effects.push_back(control_output);
-  Node* value_output = jsgraph_->graph()->NewNode(
-      jsgraph_->common()->Phi(kMachAnyTagged, input_count),
-      static_cast<int>(values.size()), &values.front());
-  Node* effect_output = jsgraph_->graph()->NewNode(
-      jsgraph_->common()->EffectPhi(input_count),
-      static_cast<int>(effects.size()), &effects.front());
-
-  ReplaceWithValue(call, value_output, effect_output, control_output);
-
-  return Changed(value_output);
+
+  // Depending on whether the inlinee produces a value, we either replace value
+  // uses with said value or kill value uses if no value can be returned.
+  if (values.size() > 0) {
+    int const input_count = static_cast<int>(controls.size());
+    Node* control_output = jsgraph_->graph()->NewNode(
+        jsgraph_->common()->Merge(input_count), input_count, &controls.front());
+    values.push_back(control_output);
+    effects.push_back(control_output);
+    Node* value_output = jsgraph_->graph()->NewNode(
+        jsgraph_->common()->Phi(kMachAnyTagged, input_count),
+        static_cast<int>(values.size()), &values.front());
+    Node* effect_output = jsgraph_->graph()->NewNode(
+        jsgraph_->common()->EffectPhi(input_count),
+        static_cast<int>(effects.size()), &effects.front());
+    ReplaceWithValue(call, value_output, effect_output, control_output);
+    return Changed(value_output);
+  } else {
+    ReplaceWithValue(call, call, call, jsgraph_->Dead());
+    return Changed(call);
+  }
 }
 
 

diff --git a/test/mjsunit/regress/regress-crbug-530598.js b/test/mjsunit/regress/regress-crbug-530598.js
new file mode 100644 (file)
index 0000000..f385523
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-530598.js
@@ -0,0 +1,25 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --turbo-inlining
+
+var f1 = (function() {
+  "use asm";
+  function g() { throw 0; }
+  function f() { return g(); }
+  return f;
+})();
+assertThrows("f1()");
+%OptimizeFunctionOnNextCall(f1);
+assertThrows("f1()");
+
+var f2 = (function() {
+  "use asm";
+  function g() { for (;;); }
+  function f(a) { return a || g(); }
+  return f;
+})();
+assertTrue(f2(true));
+%OptimizeFunctionOnNextCall(f2);
+assertTrue(f2(true));