[maglev] Throw exception if inlined result is not tagged

... when inlining a derived constructor. Fixed: chromium:1466928 Bug: v8:7700 Change-Id: I593a5e620d4ab006342c9144798f3b2ed71441e9 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4711506 Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Reviewed-by: Leszek Swirski <leszeks@chromium.org> Reviewed-by: Toon Verwaest <verwaest@chromium.org> Cr-Commit-Position: refs/heads/main@{#89152}
Mutter45 · Jul 24, 2023 · 5c1c91f · 5c1c91f
1 parent f43a566
commit 5c1c91f
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 0 deletions.
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -7415,6 +7415,10 @@ ReduceResult MaglevGraphBuilder::ReduceConstruct(
           compiler::HeapObjectRef constant = maybe_constant.value();
           if (constant.IsJSReceiver()) return constant_node;
         }
+        if (!call_result->properties().is_tagged()) {
+          return BuildCallRuntime(Runtime::kThrowConstructorReturnedNonObject,
+                                  {});
+        }
         return AddNewNode<CheckDerivedConstructResult>({call_result});
       }
 

diff --git a/test/mjsunit/maglev/regress-1466928.js b/test/mjsunit/maglev/regress-1466928.js
@@ -0,0 +1,17 @@
+// Copyright 2023 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+//
+// Flags: --allow-natives-syntax --maglev --single-threaded
+
+for (let v1 = 0; v1 < 1000; v1++) {
+    v1++;
+    function f3() {
+    }
+    class C4 extends f3 {
+        constructor(a6) {
+            return a6;
+        }
+    }
+    try { new C4(v1); } catch (e) {}
+}