From 8e80fc7ff84bb477eb05ddcd59ac492d9fbf5c8d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C3=ABl=20Zasso?= Date: Wed, 14 Apr 2021 17:09:59 +0200 Subject: [PATCH] deps: patch V8 to 9.0.257.17 Refs: https://github.com/v8/v8/compare/9.0.257.16...9.0.257.17 PR-URL: https://github.com/nodejs/node/pull/38237 Reviewed-By: Rich Trott Reviewed-By: Beth Griggs Reviewed-By: Richard Lau Reviewed-By: Colin Ihrig Reviewed-By: James M Snell --- deps/v8/include/v8-version.h | 2 +- .../backend/x64/instruction-selector-x64.cc | 4 +- .../test/mjsunit/compiler/regress-1196683.js | 56 +++++++++++++++++++ 3 files changed, 60 insertions(+), 2 deletions(-) create mode 100644 deps/v8/test/mjsunit/compiler/regress-1196683.js diff --git a/deps/v8/include/v8-version.h b/deps/v8/include/v8-version.h index 089daa47f96ec0..4826580f7b16aa 100644 --- a/deps/v8/include/v8-version.h +++ b/deps/v8/include/v8-version.h @@ -11,7 +11,7 @@ #define V8_MAJOR_VERSION 9 #define V8_MINOR_VERSION 0 #define V8_BUILD_NUMBER 257 -#define V8_PATCH_LEVEL 16 +#define V8_PATCH_LEVEL 17 // Use 1 for candidates and 0 otherwise. // (Boolean macro values are not supported by all preprocessors.) diff --git a/deps/v8/src/compiler/backend/x64/instruction-selector-x64.cc b/deps/v8/src/compiler/backend/x64/instruction-selector-x64.cc index 550835767596b1..bbfc0a09bde70d 100644 --- a/deps/v8/src/compiler/backend/x64/instruction-selector-x64.cc +++ b/deps/v8/src/compiler/backend/x64/instruction-selector-x64.cc @@ -1396,7 +1396,9 @@ void InstructionSelector::VisitChangeInt32ToInt64(Node* node) { opcode = load_rep.IsSigned() ? kX64Movsxwq : kX64Movzxwq; break; case MachineRepresentation::kWord32: - opcode = load_rep.IsSigned() ? kX64Movsxlq : kX64Movl; + // ChangeInt32ToInt64 must interpret its input as a _signed_ 32-bit + // integer, so here we must sign-extend the loaded value in any case. + opcode = kX64Movsxlq; break; default: UNREACHABLE(); diff --git a/deps/v8/test/mjsunit/compiler/regress-1196683.js b/deps/v8/test/mjsunit/compiler/regress-1196683.js new file mode 100644 index 00000000000000..abd7d6b2f8da45 --- /dev/null +++ b/deps/v8/test/mjsunit/compiler/regress-1196683.js @@ -0,0 +1,56 @@ +// Copyright 2021 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + + +(function() { + const arr = new Uint32Array([2**31]); + function foo() { + return (arr[0] ^ 0) + 1; + } + %PrepareFunctionForOptimization(foo); + assertEquals(-(2**31) + 1, foo()); + %OptimizeFunctionOnNextCall(foo); + assertEquals(-(2**31) + 1, foo()); +}); + + +// The remaining tests already passed without the bugfix. + + +(function() { + const arr = new Uint16Array([2**15]); + function foo() { + return (arr[0] ^ 0) + 1; + } + %PrepareFunctionForOptimization(foo); + assertEquals(2**15 + 1, foo()); + %OptimizeFunctionOnNextCall(foo); + assertEquals(2**15 + 1, foo()); +})(); + + +(function() { + const arr = new Uint8Array([2**7]); + function foo() { + return (arr[0] ^ 0) + 1; + } + %PrepareFunctionForOptimization(foo); + assertEquals(2**7 + 1, foo()); + %OptimizeFunctionOnNextCall(foo); + assertEquals(2**7 + 1, foo()); +})(); + + +(function() { + const arr = new Int32Array([-(2**31)]); + function foo() { + return (arr[0] >>> 0) + 1; + } + %PrepareFunctionForOptimization(foo); + assertEquals(2**31 + 1, foo()); + %OptimizeFunctionOnNextCall(foo); + assertEquals(2**31 + 1, foo()); +})();