Merged: [turbofan] Disable inlining of derived class constructors.

Revision: c019e53 BUG=chromium:706642 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true Change-Id: I61e9d2decb269b33aefcc6e77d6c09bab3a2a994 Reviewed-on: https://chromium-review.googlesource.com/465828 Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/branch-heads/5.8@{crosswalk-project#49} Cr-Branched-From: eda659c-refs/heads/5.8.283@{crosswalk-project#1} Cr-Branched-From: 4310cd0-refs/heads/master@{#43429}
asifhisam · Apr 3, 2017 · 708debd · 708debd
1 parent 76c0b24
commit 708debd
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 0 deletions.
diff --git a/src/compiler/js-inlining.cc b/src/compiler/js-inlining.cc
@@ -478,6 +478,18 @@ Reduction JSInliner::ReduceJSCall(Node* node) {
     return NoChange();
   }
 
+  // TODO(706642): Don't inline derived class constructors for now, as the
+  // inlining logic doesn't deal properly with derived class constructors
+  // that return a primitive, i.e. it's not in sync with what the Parser
+  // and the JSConstructSub does.
+  if (node->opcode() == IrOpcode::kJSConstruct &&
+      IsDerivedConstructor(shared_info->kind())) {
+    TRACE("Not inlining %s into %s because constructor is derived.\n",
+          shared_info->DebugName()->ToCString().get(),
+          info_->shared_info()->DebugName()->ToCString().get());
+    return NoChange();
+  }
+
   // Class constructors are callable, but [[Call]] will raise an exception.
   // See ES6 section 9.2.1 [[Call]] ( thisArgument, argumentsList ).
   if (node->opcode() == IrOpcode::kJSCall &&

diff --git a/test/mjsunit/regress/regress-crbug-706642.js b/test/mjsunit/regress/regress-crbug-706642.js
@@ -0,0 +1,37 @@
+// Copyright 2017 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+class A extends Object {
+  constructor(arg) {
+    super();
+    superclass_counter++;
+    if (superclass_counter === 3) {
+      return 1;
+    }
+  }
+}
+
+class B extends A {
+  constructor() {
+    let x = super(123);
+    return x.a;
+  }
+}
+
+var superclass_counter = 0;
+var observer = new Proxy(A, {
+  get(target, property, receiver) {
+    if (property === 'prototype') {
+      %DeoptimizeFunction(B);
+    }
+    return Reflect.get(target, property, receiver);
+  }
+});
+
+Reflect.construct(B, [], observer);
+Reflect.construct(B, [], observer);
+%OptimizeFunctionOnNextCall(B);
+assertThrows(() => Reflect.construct(B, [], observer), TypeError);