From 5372f1ff5ba387ee74f149ac577e60939df1716c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Sat, 17 Apr 2021 16:28:40 +0200 Subject: [PATCH] deps: V8: cherry-pick a59e3ac1d7fa Original commit message: Merged: [compiler] Fix bug in SimplifiedLowering's overflow computation Revision: e371325bcb03f20a362ebfa48225159702c6fde7 BUG=chromium:1126249 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=tebbi@chromium.org Change-Id: I411d9233f77992e73da12784cef59c885999b556 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2415988 Reviewed-by: Tobias Tebbi Commit-Queue: Georg Neis Cr-Commit-Position: refs/branch-heads/8.6@{#8} Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472} Refs: https://github.com/v8/v8/commit/a59e3ac1d7fa6da39421130f8df1b5be50dca7d9 PR-URL: https://github.com/nodejs/node/pull/38275 Reviewed-By: Matteo Collina Reviewed-By: Jiawen Geng Reviewed-By: Shelley Vohr --- common.gypi | 2 +- deps/v8/src/compiler/simplified-lowering.cc | 17 +++++++++----- .../test/mjsunit/compiler/regress-1126249.js | 22 +++++++++++++++++++ 3 files changed, 35 insertions(+), 6 deletions(-) create mode 100644 deps/v8/test/mjsunit/compiler/regress-1126249.js diff --git a/common.gypi b/common.gypi index 9d9c830b3d0c8c..8cf35e1ac1c71b 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.30', + 'v8_embedder_string': '-node.31', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/compiler/simplified-lowering.cc b/deps/v8/src/compiler/simplified-lowering.cc index d00acefc39c791..9252906e70d2a2 100644 --- a/deps/v8/src/compiler/simplified-lowering.cc +++ b/deps/v8/src/compiler/simplified-lowering.cc @@ -178,10 +178,16 @@ void ReplaceEffectControlUses(Node* node, Node* effect, Node* control) { } bool CanOverflowSigned32(const Operator* op, Type left, Type right, - Zone* type_zone) { - // We assume the inputs are checked Signed32 (or known statically - // to be Signed32). Technically, the inputs could also be minus zero, but - // that cannot cause overflow. + TypeCache const* type_cache, Zone* type_zone) { + // We assume the inputs are checked Signed32 (or known statically to be + // Signed32). Technically, the inputs could also be minus zero, which we treat + // as 0 for the purpose of this function. + if (left.Maybe(Type::MinusZero())) { + left = Type::Union(left, type_cache->kSingletonZero, type_zone); + } + if (right.Maybe(Type::MinusZero())) { + right = Type::Union(right, type_cache->kSingletonZero, type_zone); + } left = Type::Intersect(left, Type::Signed32(), type_zone); right = Type::Intersect(right, Type::Signed32(), type_zone); if (left.IsNone() || right.IsNone()) return false; @@ -1457,7 +1463,8 @@ class RepresentationSelector { if (lower()) { if (truncation.IsUsedAsWord32() || !CanOverflowSigned32(node->op(), left_feedback_type, - right_feedback_type, graph_zone())) { + right_feedback_type, type_cache_, + graph_zone())) { ChangeToPureOp(node, Int32Op(node)); } else { diff --git a/deps/v8/test/mjsunit/compiler/regress-1126249.js b/deps/v8/test/mjsunit/compiler/regress-1126249.js new file mode 100644 index 00000000000000..87f4885305da3c --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-1126249.js @@ -0,0 +1,22 @@ +// Copyright 2020 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function foo(b) { + var x = -0; + var y = -0x80000000; + + if (b) { + x = -1; + y = 1; + } + + return (x - y) == -0x80000000; +} + +%PrepareFunctionForOptimization(foo); +assertFalse(foo(true)); +%OptimizeFunctionOnNextCall(foo); +assertFalse(foo(false));