Skip to content

Commit

Permalink
deps: V8: cherry-pick a59e3ac1d7fa
Browse files Browse the repository at this point in the history
Original commit message:

    Merged: [compiler] Fix bug in SimplifiedLowering's overflow computation

    Revision: e371325bcb03f20a362ebfa48225159702c6fde7

    BUG=chromium:1126249
    NOTRY=true
    NOPRESUBMIT=true
    NOTREECHECKS=true
    R=tebbi@chromium.org

    Change-Id: I411d9233f77992e73da12784cef59c885999b556
    Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2415988
    Reviewed-by: Tobias Tebbi <tebbi@chromium.org>
    Commit-Queue: Georg Neis <neis@chromium.org>
    Cr-Commit-Position: refs/branch-heads/8.6@{#8}
    Cr-Branched-From: a64aed2333abf49e494d2a5ce24bbd14fff19f60-refs/heads/8.6.395@{#1}
    Cr-Branched-From: a626bc036236c9bf92ac7b87dc40c9e538b087e3-refs/heads/master@{#69472}

Refs: v8/v8@a59e3ac
  • Loading branch information
targos committed Apr 27, 2021
1 parent 201c2d9 commit 8e9415c
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 6 deletions.
2 changes: 1 addition & 1 deletion common.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@

# Reset this number to 0 on major V8 upgrades.
# Increment by one for each non-official patch applied to deps/v8.
'v8_embedder_string': '-node.30',
'v8_embedder_string': '-node.31',

##### V8 defaults for Node.js #####

Expand Down
17 changes: 12 additions & 5 deletions deps/v8/src/compiler/simplified-lowering.cc
Original file line number Diff line number Diff line change
Expand Up @@ -178,10 +178,16 @@ void ReplaceEffectControlUses(Node* node, Node* effect, Node* control) {
}

bool CanOverflowSigned32(const Operator* op, Type left, Type right,
Zone* type_zone) {
// We assume the inputs are checked Signed32 (or known statically
// to be Signed32). Technically, the inputs could also be minus zero, but
// that cannot cause overflow.
TypeCache const* type_cache, Zone* type_zone) {
// We assume the inputs are checked Signed32 (or known statically to be
// Signed32). Technically, the inputs could also be minus zero, which we treat
// as 0 for the purpose of this function.
if (left.Maybe(Type::MinusZero())) {
left = Type::Union(left, type_cache->kSingletonZero, type_zone);
}
if (right.Maybe(Type::MinusZero())) {
right = Type::Union(right, type_cache->kSingletonZero, type_zone);
}
left = Type::Intersect(left, Type::Signed32(), type_zone);
right = Type::Intersect(right, Type::Signed32(), type_zone);
if (left.IsNone() || right.IsNone()) return false;
Expand Down Expand Up @@ -1457,7 +1463,8 @@ class RepresentationSelector {
if (lower<T>()) {
if (truncation.IsUsedAsWord32() ||
!CanOverflowSigned32(node->op(), left_feedback_type,
right_feedback_type, graph_zone())) {
right_feedback_type, type_cache_,
graph_zone())) {
ChangeToPureOp(node, Int32Op(node));

} else {
Expand Down
22 changes: 22 additions & 0 deletions deps/v8/test/mjsunit/compiler/regress-1126249.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Flags: --allow-natives-syntax

function foo(b) {
var x = -0;
var y = -0x80000000;

if (b) {
x = -1;
y = 1;
}

return (x - y) == -0x80000000;
}

%PrepareFunctionForOptimization(foo);
assertFalse(foo(true));
%OptimizeFunctionOnNextCall(foo);
assertFalse(foo(false));

0 comments on commit 8e9415c

Please sign in to comment.