[MERGE #6150 @MikeHolman] fix failure restoring arguments object when aliased in try block

MikeHolman · MikeHolman · commit aee5f512e85f · 2019-06-07T10:32:19.000-07:00
Merge pull request #6150 from MikeHolman:argrestoreintry for stack args bailout needs to know if value we are restoring is arguments (or an alias), but we don't precisely track flow in try blocks, so if assignment is to a writethrough sym we should give up on stack args. Fixes #6058
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -1537,6 +1537,17 @@ GlobOpt::OptArguments(IR::Instr *instr)
             CannotAllocateArgumentsObjectOnStack(instr->m_func);
             return;
         }
+
+        // Disable stack args if we are aliasing arguments inside try block to a writethrough symbol.
+        // We don't have precise tracking of these symbols, so bailout couldn't know if it needs to restore arguments object or not after exception
+        Region* tryRegion = this->currentRegion ? this->currentRegion->GetSelfOrFirstTryAncestor() : nullptr;
+        if (tryRegion && tryRegion->GetType() == RegionTypeTry &&
+            tryRegion->writeThroughSymbolsSet &&
+            tryRegion->writeThroughSymbolsSet->Test(dst->AsRegOpnd()->m_sym->m_id))
+        {
+            CannotAllocateArgumentsObjectOnStack(instr->m_func);
+            return;
+        }
         if(!dst->AsRegOpnd()->GetStackSym()->m_nonEscapingArgObjAlias)
         {
             CurrentBlockData()->TrackArgumentsSym(dst->AsRegOpnd());
diff --git a/test/Optimizer/argrestoreintry.js b/test/Optimizer/argrestoreintry.js
@@ -0,0 +1,20 @@
+function bar() {
+    throw new Error();
+}
+function foo() {
+    try {
+        x = arguments;
+        bar();
+    } catch (e) {
+        return x.length;
+    } 
+    var x = {
+        j: 1,
+        k: 2.2
+    };
+}
+foo();
+foo();
+let pass = foo() === 0;
+
+print(pass ? "Pass" : "Fail")
diff --git a/test/Optimizer/rlexe.xml b/test/Optimizer/rlexe.xml
@@ -1611,4 +1611,10 @@
       <compile-flags>-maxinterpretcount:1 -maxsimplejitruncount:1</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>argrestoreintry.js</files>
+      <compile-flags>-maxinterpretcount:1 -maxsimplejitruncount:1</compile-flags>
+    </default>
+  </test>
 </regress-exe>
