From 4f9bc2d1c352136713b6122c1e2ba54cb552d9ae Mon Sep 17 00:00:00 2001
From: bmeurer <bmeurer@chromium.org>
Date: Fri, 24 Apr 2015 03:51:48 -0700
Subject: [PATCH] [turbofan] Ignore dead cached nodes in the JSGraph.

BUG=chromium:480807
LOG=n
R=jarin@chromium.org

Review URL: https://codereview.chromium.org/1101273002

Cr-Commit-Position: refs/heads/master@{#28041}
---
 src/compiler/js-graph.cc                     | 18 +++++++++++-------
 test/mjsunit/regress/regress-crbug-480807.js | 22 ++++++++++++++++++++++
 2 files changed, 33 insertions(+), 7 deletions(-)
 create mode 100644 test/mjsunit/regress/regress-crbug-480807.js

diff --git a/src/compiler/js-graph.cc b/src/compiler/js-graph.cc
index 8171f1b..9363268 100644
--- a/src/compiler/js-graph.cc
+++ b/src/compiler/js-graph.cc
@@ -184,15 +184,17 @@ Node* JSGraph::ExternalConstant(ExternalReference reference) {
 
 
 Node* JSGraph::EmptyFrameState() {
-  if (cached_nodes_[kEmptyFrameState] == nullptr) {
-    Node* values = graph()->NewNode(common()->StateValues(0));
-    Node* state_node = graph()->NewNode(
+  Node* empty_frame_state = cached_nodes_[kEmptyFrameState];
+  if (!empty_frame_state || empty_frame_state->IsDead()) {
+    Node* state_values = graph()->NewNode(common()->StateValues(0));
+    empty_frame_state = graph()->NewNode(
         common()->FrameState(JS_FRAME, BailoutId::None(),
                              OutputFrameStateCombine::Ignore()),
-        values, values, values, NoContextConstant(), UndefinedConstant());
-    cached_nodes_[kEmptyFrameState] = state_node;
+        state_values, state_values, state_values, NoContextConstant(),
+        UndefinedConstant());
+    cached_nodes_[kEmptyFrameState] = empty_frame_state;
   }
-  return cached_nodes_[kEmptyFrameState];
+  return empty_frame_state;
 }
 
 
@@ -204,7 +206,9 @@ Node* JSGraph::DeadControl() {
 void JSGraph::GetCachedNodes(NodeVector* nodes) {
   cache_.GetCachedNodes(nodes);
   for (size_t i = 0; i < arraysize(cached_nodes_); i++) {
-    if (cached_nodes_[i]) nodes->push_back(cached_nodes_[i]);
+    if (Node* node = cached_nodes_[i]) {
+      if (!node->IsDead()) nodes->push_back(node);
+    }
   }
 }
 
diff --git a/test/mjsunit/regress/regress-crbug-480807.js b/test/mjsunit/regress/regress-crbug-480807.js
new file mode 100644
index 0000000..c273f20
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-480807.js
@@ -0,0 +1,22 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --use-osr --turbo-osr --noalways-opt
+
+function foo() {
+  var c = 0;
+  for (var e = 0; e < 1; ++e) {
+    for (var a = 1; a > 0; a--) {
+      c += 1;
+    }
+    for (var b = 1; b > 0; b--) {
+      %OptimizeOsr();
+    }
+  }
+  return c;
+}
+try {
+  foo();
+} catch (e) {
+}
-- 
2.7.4