From 47626c52a3b1692817dc81079b2f864c04a7dae1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Mon, 26 Apr 2021 22:17:45 +0200 Subject: [PATCH] deps: patch V8 to 9.0.257.24 Refs: https://github.com/v8/v8/compare/9.0.257.21...9.0.257.24 PR-URL: https://github.com/nodejs/node/pull/38423 Reviewed-By: Colin Ihrig Reviewed-By: James M Snell --- deps/v8/include/v8-version.h | 2 +- deps/v8/src/compiler/representation-change.cc | 35 ++++++---- deps/v8/src/compiler/simplified-lowering.cc | 68 ++++++++++++------- deps/v8/src/compiler/type-cache.h | 2 +- deps/v8/src/deoptimizer/deoptimize-reason.h | 1 + 5 files changed, 68 insertions(+), 40 deletions(-) diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index c89f1e7fe01ba6..11a6c54ad72d0f 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 9 #define V8_MINOR_VERSION 0 #define V8_BUILD_NUMBER 257 -#define V8_PATCH_LEVEL 21 +#define V8_PATCH_LEVEL 24 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/compiler/representation-change.cc b/deps/v8/src/compiler/representation-change.cc index 3d937ada1e7e50..4bfaa1cceea98a 100644 --- a/deps/v8/src/compiler/representation-change.cc +++ b/deps/v8/src/compiler/representation-change.cc @@ -211,7 +211,10 @@ Node* RepresentationChanger::GetRepresentationFor( return GetFloat32RepresentationFor(node, output_rep, output_type, use_info.truncation()); case MachineRepresentation::kFloat64: - DCHECK_NE(TypeCheckKind::kBigInt, use_info.type_check()); + DCHECK(use_info.type_check() == TypeCheckKind::kNone || + use_info.type_check() == TypeCheckKind::kNumber || + use_info.type_check() == TypeCheckKind::kNumberOrBoolean || + use_info.type_check() == TypeCheckKind::kNumberOrOddball); return GetFloat64RepresentationFor(node, output_rep, output_type, use_node, use_info); case MachineRepresentation::kBit: @@ -727,15 +730,22 @@ Node* RepresentationChanger::GetFloat64RepresentationFor( } } else if (IsAnyTagged(output_rep)) { if (output_type.Is(Type::Undefined())) { - if (use_info.type_check() == TypeCheckKind::kNumberOrBoolean) { + if (use_info.type_check() == TypeCheckKind::kNumberOrOddball || + (use_info.type_check() == TypeCheckKind::kNone && + use_info.truncation().TruncatesOddballAndBigIntToNumber())) { + return jsgraph()->Float64Constant( + std::numeric_limits::quiet_NaN()); + } else { + DCHECK(use_info.type_check() == TypeCheckKind::kNone || + use_info.type_check() == TypeCheckKind::kNumber || + use_info.type_check() == TypeCheckKind::kNumberOrBoolean); Node* unreachable = InsertUnconditionalDeopt( - use_node, DeoptimizeReason::kNotANumberOrBoolean); + use_node, use_info.type_check() == TypeCheckKind::kNumber + ? DeoptimizeReason::kNotANumber + : DeoptimizeReason::kNotANumberOrBoolean); return jsgraph()->graph()->NewNode( jsgraph()->common()->DeadValue(MachineRepresentation::kFloat64), unreachable); - } else { - return jsgraph()->Float64Constant( - std::numeric_limits::quiet_NaN()); } } else if (output_rep == MachineRepresentation::kTaggedSigned) { node = InsertChangeTaggedSignedToInt32(node); @@ -747,12 +757,13 @@ Node* RepresentationChanger::GetFloat64RepresentationFor( output_type.Is(Type::NumberOrHole())) { // JavaScript 'null' is an Oddball that results in +0 when truncated to // Number. In a context like -0 == null, which must evaluate to false, - // this truncation must not happen. For this reason we restrict this case - // to when either the user explicitly requested a float (and thus wants - // +0 if null is the input) or we know from the types that the input can - // only be Number | Hole. The latter is necessary to handle the operator - // CheckFloat64Hole. We did not put in the type (Number | Oddball \ Null) - // to discover more bugs related to this conversion via crashes. + // this truncation must not happen. For this reason we restrict this + // case to when either the user explicitly requested a float (and thus + // wants +0 if null is the input) or we know from the types that the + // input can only be Number | Hole. The latter is necessary to handle + // the operator CheckFloat64Hole. We did not put in the type (Number | + // Oddball \ Null) to discover more bugs related to this conversion via + // crashes. op = simplified()->TruncateTaggedToFloat64(); } else if (use_info.type_check() == TypeCheckKind::kNumber || (use_info.type_check() == TypeCheckKind::kNumberOrOddball && diff --git a/deps/v8/src/compiler/simplified-lowering.cc b/deps/v8/src/compiler/simplified-lowering.cc index 903e8256f9e9d3..73c3e57c216d67 100644 --- a/deps/v8/src/compiler/simplified-lowering.cc +++ b/deps/v8/src/compiler/simplified-lowering.cc @@ -1420,17 +1420,31 @@ class RepresentationSelector { return jsgraph_->simplified(); } - void LowerToCheckedInt32Mul(Node* node, Truncation truncation, - Type input0_type, Type input1_type) { - // If one of the inputs is positive and/or truncation is being applied, - // there is no need to return -0. - CheckForMinusZeroMode mz_mode = - truncation.IdentifiesZeroAndMinusZero() || - IsSomePositiveOrderedNumber(input0_type) || - IsSomePositiveOrderedNumber(input1_type) - ? CheckForMinusZeroMode::kDontCheckForMinusZero - : CheckForMinusZeroMode::kCheckForMinusZero; - ChangeOp(node, simplified()->CheckedInt32Mul(mz_mode)); + template + void VisitForCheckedInt32Mul(Node* node, Truncation truncation, + Type input0_type, Type input1_type, + UseInfo input_use) { + DCHECK_EQ(node->opcode(), IrOpcode::kSpeculativeNumberMultiply); + // A -0 input is impossible or will cause a deopt. + DCHECK(BothInputsAre(node, Type::Signed32()) || + !input_use.truncation().IdentifiesZeroAndMinusZero()); + + CheckForMinusZeroMode mz_mode; + Type restriction; + if (IsSomePositiveOrderedNumber(input0_type) || + IsSomePositiveOrderedNumber(input1_type)) { + mz_mode = CheckForMinusZeroMode::kDontCheckForMinusZero; + restriction = Type::Signed32(); + } else if (truncation.IdentifiesZeroAndMinusZero()) { + mz_mode = CheckForMinusZeroMode::kDontCheckForMinusZero; + restriction = Type::Signed32OrMinusZero(); + } else { + mz_mode = CheckForMinusZeroMode::kCheckForMinusZero; + restriction = Type::Signed32(); + } + + VisitBinop(node, input_use, MachineRepresentation::kWord32, restriction); + if (lower()) ChangeOp(node, simplified()->CheckedInt32Mul(mz_mode)); } void ChangeToInt32OverflowOp(Node* node) { @@ -1618,12 +1632,22 @@ class RepresentationSelector { VisitBinop(node, lhs_use, rhs_use, MachineRepresentation::kWord32); if (lower()) DeferReplacement(node, lowering->Int32Mod(node)); } else if (BothInputsAre(node, Type::Unsigned32OrMinusZeroOrNaN())) { + Type const restriction = + truncation.IdentifiesZeroAndMinusZero() && + TypeOf(node->InputAt(0)).Maybe(Type::MinusZero()) + ? Type::Unsigned32OrMinusZero() + : Type::Unsigned32(); VisitBinop(node, lhs_use, rhs_use, MachineRepresentation::kWord32, - Type::Unsigned32()); + restriction); if (lower()) ChangeToUint32OverflowOp(node); } else { + Type const restriction = + truncation.IdentifiesZeroAndMinusZero() && + TypeOf(node->InputAt(0)).Maybe(Type::MinusZero()) + ? Type::Signed32OrMinusZero() + : Type::Signed32(); VisitBinop(node, lhs_use, rhs_use, MachineRepresentation::kWord32, - Type::Signed32()); + restriction); if (lower()) ChangeToInt32OverflowOp(node); } return; @@ -2254,22 +2278,16 @@ class RepresentationSelector { if (BothInputsAre(node, Type::Signed32())) { // If both inputs and feedback are int32, use the overflow op. if (hint == NumberOperationHint::kSignedSmall) { - VisitBinop(node, UseInfo::TruncatingWord32(), - MachineRepresentation::kWord32, Type::Signed32()); - if (lower()) { - LowerToCheckedInt32Mul(node, truncation, input0_type, - input1_type); - } + VisitForCheckedInt32Mul(node, truncation, input0_type, + input1_type, + UseInfo::TruncatingWord32()); return; } } if (hint == NumberOperationHint::kSignedSmall) { - VisitBinop(node, CheckedUseInfoAsWord32FromHint(hint), - MachineRepresentation::kWord32, Type::Signed32()); - if (lower()) { - LowerToCheckedInt32Mul(node, truncation, input0_type, input1_type); - } + VisitForCheckedInt32Mul(node, truncation, input0_type, input1_type, + CheckedUseInfoAsWord32FromHint(hint)); return; } @@ -4002,7 +4020,6 @@ template <> void RepresentationSelector::SetOutput( Node* node, MachineRepresentation representation, Type restriction_type) { NodeInfo* const info = GetInfo(node); - DCHECK(info->restriction_type().Is(restriction_type)); DCHECK(restriction_type.Is(info->restriction_type())); info->set_output(representation); } @@ -4012,7 +4029,6 @@ void RepresentationSelector::SetOutput( Node* node, MachineRepresentation representation, Type restriction_type) { NodeInfo* const info = GetInfo(node); DCHECK_EQ(info->representation(), representation); - DCHECK(info->restriction_type().Is(restriction_type)); DCHECK(restriction_type.Is(info->restriction_type())); USE(info); } diff --git a/deps/v8/src/compiler/type-cache.h b/deps/v8/src/compiler/type-cache.h index ada95a37219fc0..2ade5f68a3b1d9 100644 --- a/deps/v8/src/compiler/type-cache.h +++ b/deps/v8/src/compiler/type-cache.h @@ -80,7 +80,7 @@ class V8_EXPORT_PRIVATE TypeCache final { Type::Union(kPositiveIntegerOrMinusZero, Type::NaN(), zone()); Type const kAdditiveSafeInteger = - CreateRange(-4503599627370496.0, 4503599627370496.0); + CreateRange(-4503599627370495.0, 4503599627370495.0); Type const kSafeInteger = CreateRange(-kMaxSafeInteger, kMaxSafeInteger); Type const kAdditiveSafeIntegerOrMinusZero = Type::Union(kAdditiveSafeInteger, Type::MinusZero(), zone()); diff --git a/deps/v8/src/deoptimizer/deoptimize-reason.h b/deps/v8/src/deoptimizer/deoptimize-reason.h index 3dc0f0599b21b3..4ad302ed6c6439 100644 --- a/deps/v8/src/deoptimizer/deoptimize-reason.h +++ b/deps/v8/src/deoptimizer/deoptimize-reason.h @@ -44,6 +44,7 @@ namespace internal { V(NotAJavaScriptObject, "not a JavaScript object") \ V(NotAJavaScriptObjectOrNullOrUndefined, \ "not a JavaScript object, Null or Undefined") \ + V(NotANumber, "not a Number") \ V(NotANumberOrBoolean, "not a Number or Boolean") \ V(NotANumberOrOddball, "not a Number or Oddball") \ V(NotAnArrayIndex, "not an array index") \