From 9bfb0f33e90037db38afacdcdc0064cdb1448892 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com>
Date: Sat, 17 Apr 2021 16:28:48 +0200
Subject: [PATCH] deps: V8: cherry-pick 3066b7b2fcb3

Original commit message:

    [LTS-M86][compiler][x64] Fix bug in InstructionSelector::ChangeInt32ToInt64

    (cherry picked from commit 02f84c745fc0cae5927a66dc4a3e81334e8f60a6)

    No-Try: true
    No-Presubmit: true
    No-Tree-Checks: true
    Bug: chromium:1196683
    Change-Id: Ib4ea738b47b64edc81450583be4c80a41698c3d1
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2820971
    Commit-Queue: Georg Neis <neis@chromium.org>
    Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
    Cr-Original-Commit-Position: refs/heads/master@{#73903}
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2821959
    Commit-Queue: Jana Grill <janagrill@chromium.org>
    Reviewed-by: Georg Neis <neis@chromium.org>
    Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
    Cr-Commit-Position: refs/branch-heads/8.6@{#75}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: https://github.com/v8/v8/commit/3066b7b2fcb3aa66541a4818e1165e34acc52639

PR-URL: https://github.com/nodejs/node/pull/38275
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jiawen Geng <technicalcute@gmail.com>
Reviewed-By: Shelley Vohr <codebytere@gmail.com>
---
 common.gypi                                   |  2 +-
 .../backend/x64/instruction-selector-x64.cc   |  4 +-
 .../test/mjsunit/compiler/regress-1196683.js  | 56 +++++++++++++++++++
 3 files changed, 60 insertions(+), 2 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/compiler/regress-1196683.js

diff --git a/common.gypi b/common.gypi
index 64e08805c89ad6..0395077e443751 100644
--- a/common.gypi
+++ b/common.gypi
@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.49',
+    'v8_embedder_string': '-node.50',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/v8/src/compiler/backend/x64/instruction-selector-x64.cc b/deps/v8/src/compiler/backend/x64/instruction-selector-x64.cc
index dd3f556937d096..56dd17ac693e7e 100644
--- a/deps/v8/src/compiler/backend/x64/instruction-selector-x64.cc
+++ b/deps/v8/src/compiler/backend/x64/instruction-selector-x64.cc
@@ -1270,7 +1270,9 @@ void InstructionSelector::VisitChangeInt32ToInt64(Node* node) {
         opcode = load_rep.IsSigned() ? kX64Movsxwq : kX64Movzxwq;
         break;
       case MachineRepresentation::kWord32:
-        opcode = load_rep.IsSigned() ? kX64Movsxlq : kX64Movl;
+        // ChangeInt32ToInt64 must interpret its input as a _signed_ 32-bit
+        // integer, so here we must sign-extend the loaded value in any case.
+        opcode = kX64Movsxlq;
         break;
       default:
         UNREACHABLE();
diff --git a/deps/v8/test/mjsunit/compiler/regress-1196683.js b/deps/v8/test/mjsunit/compiler/regress-1196683.js
new file mode 100644
index 00000000000000..abd7d6b2f8da45
--- /dev/null
+++ b/deps/v8/test/mjsunit/compiler/regress-1196683.js
@@ -0,0 +1,56 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+
+(function() {
+  const arr = new Uint32Array([2**31]);
+  function foo() {
+    return (arr[0] ^ 0) + 1;
+  }
+  %PrepareFunctionForOptimization(foo);
+  assertEquals(-(2**31) + 1, foo());
+  %OptimizeFunctionOnNextCall(foo);
+  assertEquals(-(2**31) + 1, foo());
+});
+
+
+// The remaining tests already passed without the bugfix.
+
+
+(function() {
+  const arr = new Uint16Array([2**15]);
+  function foo() {
+    return (arr[0] ^ 0) + 1;
+  }
+  %PrepareFunctionForOptimization(foo);
+  assertEquals(2**15 + 1, foo());
+  %OptimizeFunctionOnNextCall(foo);
+  assertEquals(2**15 + 1, foo());
+})();
+
+
+(function() {
+  const arr = new Uint8Array([2**7]);
+  function foo() {
+    return (arr[0] ^ 0) + 1;
+  }
+  %PrepareFunctionForOptimization(foo);
+  assertEquals(2**7 + 1, foo());
+  %OptimizeFunctionOnNextCall(foo);
+  assertEquals(2**7 + 1, foo());
+})();
+
+
+(function() {
+  const arr = new Int32Array([-(2**31)]);
+  function foo() {
+    return (arr[0] >>> 0) + 1;
+  }
+  %PrepareFunctionForOptimization(foo);
+  assertEquals(2**31 + 1, foo());
+  %OptimizeFunctionOnNextCall(foo);
+  assertEquals(2**31 + 1, foo());
+})();