diff --git a/common.gypi b/common.gypi index 4ca813b9fc8370..b706dc925dc522 100644 --- a/common.gypi +++ b/common.gypi @@ -36,7 +36,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.38', + 'v8_embedder_string': '-node.39', ##### V8 defaults for Node.js ##### diff --git a/deps/v8/src/compiler/simplified-lowering.cc b/deps/v8/src/compiler/simplified-lowering.cc index 9252906e70d2a2..a9229617dad037 100644 --- a/deps/v8/src/compiler/simplified-lowering.cc +++ b/deps/v8/src/compiler/simplified-lowering.cc @@ -1381,7 +1381,6 @@ class RepresentationSelector { IsSomePositiveOrderedNumber(input1_type) ? CheckForMinusZeroMode::kDontCheckForMinusZero : CheckForMinusZeroMode::kCheckForMinusZero; - NodeProperties::ChangeOp(node, simplified()->CheckedInt32Mul(mz_mode)); } @@ -1425,6 +1424,13 @@ class RepresentationSelector { Type left_feedback_type = TypeOf(node->InputAt(0)); Type right_feedback_type = TypeOf(node->InputAt(1)); + + // Using Signed32 as restriction type amounts to promising there won't be + // signed overflow. This is incompatible with relying on a Word32 + // truncation in order to skip the overflow check. + Type const restriction = + truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32(); + // Handle the case when no int32 checks on inputs are necessary (but // an overflow check is needed on the output). Note that we do not // have to do any check if at most one side can be minus zero. For @@ -1438,7 +1444,7 @@ class RepresentationSelector { right_upper.Is(Type::Signed32OrMinusZero()) && (left_upper.Is(Type::Signed32()) || right_upper.Is(Type::Signed32()))) { VisitBinop(node, UseInfo::TruncatingWord32(), - MachineRepresentation::kWord32, Type::Signed32()); + MachineRepresentation::kWord32, restriction); } else { // If the output's truncation is identify-zeros, we can pass it // along. Moreover, if the operation is addition and we know the @@ -1458,8 +1464,9 @@ class RepresentationSelector { UseInfo right_use = CheckedUseInfoAsWord32FromHint(hint, FeedbackSource(), kIdentifyZeros); VisitBinop(node, left_use, right_use, MachineRepresentation::kWord32, - Type::Signed32()); + restriction); } + if (lower()) { if (truncation.IsUsedAsWord32() || !CanOverflowSigned32(node->op(), left_feedback_type, diff --git a/deps/v8/test/mjsunit/compiler/regress-1150649.js b/deps/v8/test/mjsunit/compiler/regress-1150649.js new file mode 100644 index 00000000000000..a193481a3a20dc --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-1150649.js @@ -0,0 +1,24 @@ +// Copyright 2020 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +function foo(a) { + var y = 0x7fffffff; // 2^31 - 1 + + // Widen the static type of y (this condition never holds). + if (a == NaN) y = NaN; + + // The next condition holds only in the warmup run. It leads to Smi + // (SignedSmall) feedback being collected for the addition below. + if (a) y = -1; + + const z = (y + 1)|0; + return z < 0; +} + +%PrepareFunctionForOptimization(foo); +assertFalse(foo(true)); +%OptimizeFunctionOnNextCall(foo); +assertTrue(foo(false));