From 7249e8cdb8dd0ee752ebc434a3fc5e7d6262dd81 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 17 Apr 2021 16:28:43 +0200 Subject: [PATCH] deps: V8: cherry-pick c449afa1953b Original commit message: Merged: [compiler] Fix a bug in SimplifiedLowering Revision: ba1b2cc09ab98b51ca3828d29d19ae3b0a7c3a92 BUG=chromium:1150649 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true (cherry picked from commit 966d0eb98dd2630e861d267288fa2c63be9b5465) Change-Id: Ic903e61ee00b7c240bed96633d1eab582c295308 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2557985 Reviewed-by: Tobias Tebbi Commit-Queue: Georg Neis Cr-Original-Commit-Position: refs/branch-heads/8.8@{#10} Cr-Original-Branched-From: 2dbcdc105b963ee2501c82139eef7e0603977ff0-refs/heads/8.8.278@{#1} Cr-Original-Branched-From: 366d30c99049b3f1c673f8a93deb9f879d0fa9f0-refs/heads/master@{#71094} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2624749 Reviewed-by: Jana Grill Reviewed-by: Achuith Bhandarkar Commit-Queue: Victor-Gabriel Savu Cr-Commit-Position: refs/branch-heads/8.6@{#52} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: https://github.com/v8/v8/commit/c449afa1953b5bbb68c48818433a587578d79a9b --- common.gypi | 2 +- deps/v8/src/compiler/simplified-lowering.cc | 13 +++++++--- .../test/mjsunit/compiler/regress-1150649.js | 24 +++++++++++++++++++ 3 files changed, 35 insertions(+), 4 deletions(-) create mode 100644 deps/v8/test/mjsunit/compiler/regress-1150649.js diff --git a/common.gypi b/common.gypi index 4ca813b9fc8370..b706dc925dc522 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.38', + 'v8_embedder_string': '-node.39', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/compiler/simplified-lowering.cc b/deps/v8/src/compiler/simplified-lowering.cc index 9252906e70d2a2..a9229617dad037 100644 --- a/deps/v8/src/compiler/simplified-lowering.cc +++ b/deps/v8/src/compiler/simplified-lowering.cc @@ -1381,7 +1381,6 @@ class RepresentationSelector { IsSomePositiveOrderedNumber(input1_type) ? CheckForMinusZeroMode::kDontCheckForMinusZero : CheckForMinusZeroMode::kCheckForMinusZero; - NodeProperties::ChangeOp(node, simplified()->CheckedInt32Mul(mz_mode)); } @@ -1425,6 +1424,13 @@ class RepresentationSelector { Type left_feedback_type = TypeOf(node->InputAt(0)); Type right_feedback_type = TypeOf(node->InputAt(1)); + + // Using Signed32 as restriction type amounts to promising there won't be + // signed overflow. This is incompatible with relying on a Word32 + // truncation in order to skip the overflow check. + Type const restriction = + truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32(); + // Handle the case when no int32 checks on inputs are necessary (but // an overflow check is needed on the output). Note that we do not // have to do any check if at most one side can be minus zero. For @@ -1438,7 +1444,7 @@ class RepresentationSelector { right_upper.Is(Type::Signed32OrMinusZero()) && (left_upper.Is(Type::Signed32()) || right_upper.Is(Type::Signed32()))) { VisitBinop(node, UseInfo::TruncatingWord32(), - MachineRepresentation::kWord32, Type::Signed32()); + MachineRepresentation::kWord32, restriction); } else { // If the output's truncation is identify-zeros, we can pass it // along. Moreover, if the operation is addition and we know the @@ -1458,8 +1464,9 @@ class RepresentationSelector { UseInfo right_use = CheckedUseInfoAsWord32FromHint(hint, FeedbackSource(), kIdentifyZeros); VisitBinop(node, left_use, right_use, MachineRepresentation::kWord32, - Type::Signed32()); + restriction); } + if (lower()) { if (truncation.IsUsedAsWord32() || !CanOverflowSigned32(node->op(), left_feedback_type, diff --git a/deps/v8/test/mjsunit/compiler/regress-1150649.js b/deps/v8/test/mjsunit/compiler/regress-1150649.js new file mode 100644 index 00000000000000..a193481a3a20dc --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-1150649.js @@ -0,0 +1,24 @@ +// Copyright 2020 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function foo(a) { + var y = 0x7fffffff; // 2^31 - 1 + + // Widen the static type of y (this condition never holds). + if (a == NaN) y = NaN; + + // The next condition holds only in the warmup run. It leads to Smi + // (SignedSmall) feedback being collected for the addition below. + if (a) y = -1; + + const z = (y + 1)|0; + return z < 0; +} + +%PrepareFunctionForOptimization(foo); +assertFalse(foo(true)); +%OptimizeFunctionOnNextCall(foo); +assertTrue(foo(false));