diff --git a/common.gypi b/common.gypi index 9d9c830b3d0c8c..8cf35e1ac1c71b 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.30', + 'v8_embedder_string': '-node.31', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/compiler/simplified-lowering.cc b/deps/v8/src/compiler/simplified-lowering.cc index d00acefc39c791..9252906e70d2a2 100644 --- a/deps/v8/src/compiler/simplified-lowering.cc +++ b/deps/v8/src/compiler/simplified-lowering.cc @@ -178,10 +178,16 @@ void ReplaceEffectControlUses(Node* node, Node* effect, Node* control) { } bool CanOverflowSigned32(const Operator* op, Type left, Type right, - Zone* type_zone) { - // We assume the inputs are checked Signed32 (or known statically - // to be Signed32). Technically, the inputs could also be minus zero, but - // that cannot cause overflow. + TypeCache const* type_cache, Zone* type_zone) { + // We assume the inputs are checked Signed32 (or known statically to be + // Signed32). Technically, the inputs could also be minus zero, which we treat + // as 0 for the purpose of this function. + if (left.Maybe(Type::MinusZero())) { + left = Type::Union(left, type_cache->kSingletonZero, type_zone); + } + if (right.Maybe(Type::MinusZero())) { + right = Type::Union(right, type_cache->kSingletonZero, type_zone); + } left = Type::Intersect(left, Type::Signed32(), type_zone); right = Type::Intersect(right, Type::Signed32(), type_zone); if (left.IsNone() || right.IsNone()) return false; @@ -1457,7 +1463,8 @@ class RepresentationSelector { if (lower()) { if (truncation.IsUsedAsWord32() || !CanOverflowSigned32(node->op(), left_feedback_type, - right_feedback_type, graph_zone())) { + right_feedback_type, type_cache_, + graph_zone())) { ChangeToPureOp(node, Int32Op(node)); } else { diff --git a/deps/v8/test/mjsunit/compiler/regress-1126249.js b/deps/v8/test/mjsunit/compiler/regress-1126249.js new file mode 100644 index 00000000000000..87f4885305da3c --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-1126249.js @@ -0,0 +1,22 @@ +// Copyright 2020 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function foo(b) { + var x = -0; + var y = -0x80000000; + + if (b) { + x = -1; + y = 1; + } + + return (x - y) == -0x80000000; +} + +%PrepareFunctionForOptimization(foo); +assertFalse(foo(true)); +%OptimizeFunctionOnNextCall(foo); +assertFalse(foo(false));