@@ -211,7 +211,10 @@ Node* RepresentationChanger::GetRepresentationFor(
211211 return GetFloat32RepresentationFor (node, output_rep, output_type,
212212 use_info.truncation ());
213213 case MachineRepresentation::kFloat64 :
214- DCHECK_NE (TypeCheckKind::kBigInt , use_info.type_check ());
214+ DCHECK (use_info.type_check () == TypeCheckKind::kNone ||
215+ use_info.type_check () == TypeCheckKind::kNumber ||
216+ use_info.type_check () == TypeCheckKind::kNumberOrBoolean ||
217+ use_info.type_check () == TypeCheckKind::kNumberOrOddball );
215218 return GetFloat64RepresentationFor (node, output_rep, output_type,
216219 use_node, use_info);
217220 case MachineRepresentation::kBit :
@@ -729,15 +732,22 @@ Node* RepresentationChanger::GetFloat64RepresentationFor(
729732 }
730733 } else if (IsAnyTagged (output_rep)) {
731734 if (output_type.Is (Type::Undefined ())) {
732- if (use_info.type_check () == TypeCheckKind::kNumberOrBoolean ) {
735+ if (use_info.type_check () == TypeCheckKind::kNumberOrOddball ||
736+ (use_info.type_check () == TypeCheckKind::kNone &&
737+ use_info.truncation ().TruncatesOddballAndBigIntToNumber ())) {
738+ return jsgraph ()->Float64Constant (
739+ std::numeric_limits<double >::quiet_NaN ());
740+ } else {
741+ DCHECK (use_info.type_check () == TypeCheckKind::kNone ||
742+ use_info.type_check () == TypeCheckKind::kNumber ||
743+ use_info.type_check () == TypeCheckKind::kNumberOrBoolean );
733744 Node* unreachable = InsertUnconditionalDeopt (
734- use_node, DeoptimizeReason::kNotANumberOrBoolean );
745+ use_node, use_info.type_check () == TypeCheckKind::kNumber
746+ ? DeoptimizeReason::kNotANumber
747+ : DeoptimizeReason::kNotANumberOrBoolean );
735748 return jsgraph ()->graph ()->NewNode (
736749 jsgraph ()->common ()->DeadValue (MachineRepresentation::kFloat64 ),
737750 unreachable);
738- } else {
739- return jsgraph ()->Float64Constant (
740- std::numeric_limits<double >::quiet_NaN ());
741751 }
742752 } else if (output_rep == MachineRepresentation::kTaggedSigned ) {
743753 node = InsertChangeTaggedSignedToInt32 (node);
@@ -749,12 +759,13 @@ Node* RepresentationChanger::GetFloat64RepresentationFor(
749759 output_type.Is (Type::NumberOrHole ())) {
750760 // JavaScript 'null' is an Oddball that results in +0 when truncated to
751761 // Number. In a context like -0 == null, which must evaluate to false,
752- // this truncation must not happen. For this reason we restrict this case
753- // to when either the user explicitly requested a float (and thus wants
754- // +0 if null is the input) or we know from the types that the input can
755- // only be Number | Hole. The latter is necessary to handle the operator
756- // CheckFloat64Hole. We did not put in the type (Number | Oddball \ Null)
757- // to discover more bugs related to this conversion via crashes.
762+ // this truncation must not happen. For this reason we restrict this
763+ // case to when either the user explicitly requested a float (and thus
764+ // wants +0 if null is the input) or we know from the types that the
765+ // input can only be Number | Hole. The latter is necessary to handle
766+ // the operator CheckFloat64Hole. We did not put in the type (Number |
767+ // Oddball \ Null) to discover more bugs related to this conversion via
768+ // crashes.
758769 op = simplified ()->TruncateTaggedToFloat64 ();
759770 } else if (use_info.type_check () == TypeCheckKind::kNumber ||
760771 (use_info.type_check () == TypeCheckKind::kNumberOrOddball &&
0 commit comments