[maglev] Check for negative zero and NaN in CheckValueEqualsFloat64

victorgomes · V8 LUCI CQ · commit c33af9bd408e · 2025-03-26T08:33:36.000-07:00
Fixed: 406043356 Change-Id: Ibc9b3766846a4ac0a1416767099cf9924dcc28c1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6396659 Auto-Submit: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Victor Gomes <victorgomes@chromium.org> Commit-Queue: Darius Mercadier <dmercadier@chromium.org> Reviewed-by: Darius Mercadier <dmercadier@chromium.org> Cr-Commit-Position: refs/heads/main@{#99476}
diff --git a/src/compiler/turboshaft/assembler.h b/src/compiler/turboshaft/assembler.h
@@ -4715,8 +4715,8 @@ class TurboshaftAssemblerOpInterface
     return ReduceIfReachableSameValue(left, right, mode);
   }
 
-  V<Word32> Float64SameValue(V<Float64> left, V<Float64> right) {
-    return ReduceIfReachableFloat64SameValue(left, right);
+  V<Word32> Float64SameValue(ConstOrV<Float64> left, ConstOrV<Float64> right) {
+    return ReduceIfReachableFloat64SameValue(resolve(left), resolve(right));
   }
 
   OpIndex FastApiCall(V<turboshaft::FrameState> frame_state,
diff --git a/src/compiler/turboshaft/machine-lowering-reducer-inl.h b/src/compiler/turboshaft/machine-lowering-reducer-inl.h
@@ -3203,6 +3203,7 @@ class MachineLoweringReducer : public Next {
   V<Word32> REDUCE(Float64SameValue)(V<Float64> left, V<Float64> right) {
     Label<Word32> done(this);
 
+    // TODO(dmercadier): Optimize if one of the sides is a constant.
     IF (__ Float64Equal(left, right)) {
       // Even if the values are float64-equal, we still need to distinguish
       // zero and minus zero.
diff --git a/src/compiler/turboshaft/maglev-graph-building-phase.cc b/src/compiler/turboshaft/maglev-graph-building-phase.cc
@@ -2351,14 +2351,6 @@ class GraphBuildingNodeProcessor {
     SetMap(node, value);
     return maglev::ProcessResult::kContinue;
   }
-  maglev::ProcessResult Process(maglev::CheckFloat64IsNan* node,
-                                const maglev::ProcessingState& state) {
-    GET_FRAME_STATE_MAYBE_ABORT(frame_state, node->eager_deopt_info());
-    __ DeoptimizeIfNot(__ Float64IsNaN(Map(node->target_input())), frame_state,
-                       node->deoptimize_reason(),
-                       node->eager_deopt_info()->feedback_to_update());
-    return maglev::ProcessResult::kContinue;
-  }
   void CheckMaps(V<Object> receiver_input, V<FrameState> frame_state,
                  OptionalV<Map> object_map, const FeedbackSource& feedback,
                  const compiler::ZoneRefSet<Map>& maps, bool check_heap_object,
@@ -2461,14 +2453,13 @@ class GraphBuildingNodeProcessor {
                        node->eager_deopt_info()->feedback_to_update());
     return maglev::ProcessResult::kContinue;
   }
-  maglev::ProcessResult Process(maglev::CheckValueEqualsFloat64* node,
+  maglev::ProcessResult Process(maglev::CheckFloat64SameValue* node,
                                 const maglev::ProcessingState& state) {
-    DCHECK(!std::isnan(node->value()));
     GET_FRAME_STATE_MAYBE_ABORT(frame_state, node->eager_deopt_info());
-    __ DeoptimizeIfNot(
-        __ Float64Equal(Map(node->target_input()), node->value()), frame_state,
-        node->deoptimize_reason(),
-        node->eager_deopt_info()->feedback_to_update());
+    __ DeoptimizeIfNot(__ Float64SameValue(Map(node->target_input()),
+                                           node->value().get_scalar()),
+                       frame_state, node->deoptimize_reason(),
+                       node->eager_deopt_info()->feedback_to_update());
     return maglev::ProcessResult::kContinue;
   }
   maglev::ProcessResult Process(maglev::CheckString* node,
diff --git a/src/maglev/arm/maglev-ir-arm.cc b/src/maglev/arm/maglev-ir-arm.cc
@@ -172,6 +172,31 @@ void CheckedIntPtrToInt32::GenerateCode(MaglevAssembler* masm,
   // On 32-bit platforms, IntPtr is the same as Int32.
 }
 
+void CheckFloat64SameValue::SetValueLocationConstraints() {
+  UseRegister(target_input());
+  set_temporaries_needed((value().get_scalar() == 0) ? 1 : 0);
+  set_double_temporaries_needed(value().is_nan() ? 0 : 1);
+}
+void CheckFloat64SameValue::GenerateCode(MaglevAssembler* masm,
+                                         const ProcessingState& state) {
+  Label* fail = __ GetDeoptLabel(this, deoptimize_reason());
+  MaglevAssembler::TemporaryRegisterScope temps(masm);
+  DoubleRegister double_scratch = temps.AcquireScratchDouble();
+  DoubleRegister target = ToDoubleRegister(target_input());
+  if (value().is_nan()) {
+    __ JumpIfNotNan(target, fail);
+  } else {
+    __ Move(double_scratch, value());
+    __ CompareFloat64AndJumpIf(double_scratch, target, kNotEqual, fail, fail);
+    if (value().get_scalar() == 0) {  // If value is +0.0 or -0.0.
+      Register scratch = temps.AcquireScratch();
+      __ VmovHigh(scratch, target);
+      __ cmp(scratch, Operand(0));
+      __ JumpIf(value().get_bits() == 0 ? kNotEqual : kEqual, fail);
+    }
+  }
+}
+
 void Int32AddWithOverflow::SetValueLocationConstraints() {
   UseRegister(left_input());
   UseRegister(right_input());
diff --git a/src/maglev/arm64/maglev-ir-arm64.cc b/src/maglev/arm64/maglev-ir-arm64.cc
@@ -212,6 +212,36 @@ void CheckedIntPtrToInt32::GenerateCode(MaglevAssembler* masm,
                       __ GetDeoptLabel(this, DeoptimizeReason::kNotInt32));
 }
 
+void CheckFloat64SameValue::SetValueLocationConstraints() {
+  UseRegister(target_input());
+  set_temporaries_needed((value().get_scalar() == 0) ? 1 : 0);
+  set_double_temporaries_needed(
+      value().is_nan() || (value().get_scalar() == 0) ? 0 : 1);
+}
+void CheckFloat64SameValue::GenerateCode(MaglevAssembler* masm,
+                                         const ProcessingState& state) {
+  Label* fail = __ GetDeoptLabel(this, deoptimize_reason());
+  MaglevAssembler::TemporaryRegisterScope temps(masm);
+  DoubleRegister target = ToDoubleRegister(target_input());
+  if (value().is_nan()) {
+    __ JumpIfNotNan(target, fail);
+  } else if (value().get_scalar() == 0) {  // If value is +0.0 or -0.0.
+    Register scratch = temps.AcquireScratch();
+    __ Fcmp(target, value().get_scalar());
+    __ JumpIf(kNotEqual, fail);
+    __ Fmov(scratch, target);
+    if (value().get_bits() == 0) {
+      __ Tbnz(scratch, 63, fail);
+    } else {
+      __ Tbz(scratch, 63, fail);
+    }
+  } else {
+    DoubleRegister double_scratch = temps.AcquireScratchDouble();
+    __ Move(double_scratch, value());
+    __ CompareFloat64AndJumpIf(double_scratch, target, kNotEqual, fail, fail);
+  }
+}
+
 void Int32AddWithOverflow::SetValueLocationConstraints() {
   UseRegister(left_input());
   if (TryGetAddImmediateInt32ConstantInput(this, kRightIndex)) {
diff --git a/src/maglev/maglev-graph-builder.cc b/src/maglev/maglev-graph-builder.cc
@@ -5871,7 +5871,7 @@ MaybeReduceResult MaglevGraphBuilder::TryBuildStoreField(
             TryFoldLoadConstantDoubleField(constant_value, access_info);
         if (constant.has_value()) {
           if (!constant->is_nan()) {
-            AddNewNode<CheckValueEqualsFloat64>(
+            AddNewNode<CheckFloat64SameValue>(
                 {GetAccumulator()}, constant.value(),
                 DeoptimizeReason::kStoreToConstant);
             return ReduceResult::Done();
@@ -10883,11 +10883,7 @@ ReduceResult MaglevGraphBuilder::BuildCheckNumericalValue(
     if (!NodeTypeIs(NodeType::kNumber, GetType(node))) {
       return EmitUnconditionalDeopt(reason);
     }
-    if (ref_value.is_nan()) {
-      AddNewNode<CheckFloat64IsNan>({node}, reason);
-    } else {
-      AddNewNode<CheckValueEqualsFloat64>({node}, ref_value, reason);
-    }
+    AddNewNode<CheckFloat64SameValue>({node}, ref_value, reason);
   }
 
   SetKnownValue(node, ref, NodeType::kNumber);
diff --git a/src/maglev/maglev-ir.cc b/src/maglev/maglev-ir.cc
@@ -3353,30 +3353,6 @@ void CheckValueEqualsInt32::GenerateCode(MaglevAssembler* masm,
   __ CompareInt32AndJumpIf(target, value(), kNotEqual, fail);
 }
 
-void CheckValueEqualsFloat64::SetValueLocationConstraints() {
-  UseRegister(target_input());
-  set_double_temporaries_needed(1);
-}
-void CheckValueEqualsFloat64::GenerateCode(MaglevAssembler* masm,
-                                           const ProcessingState& state) {
-  Label* fail = __ GetDeoptLabel(this, deoptimize_reason());
-  MaglevAssembler::TemporaryRegisterScope temps(masm);
-  DoubleRegister scratch = temps.AcquireDouble();
-  DoubleRegister target = ToDoubleRegister(target_input());
-  __ Move(scratch, value());
-  __ CompareFloat64AndJumpIf(scratch, target, kNotEqual, fail, fail);
-}
-
-void CheckFloat64IsNan::SetValueLocationConstraints() {
-  UseRegister(target_input());
-}
-void CheckFloat64IsNan::GenerateCode(MaglevAssembler* masm,
-                                     const ProcessingState& state) {
-  Label* fail = __ GetDeoptLabel(this, deoptimize_reason());
-  DoubleRegister target = ToDoubleRegister(target_input());
-  __ JumpIfNotNan(target, fail);
-}
-
 void CheckValueEqualsString::SetValueLocationConstraints() {
   using D = CallInterfaceDescriptorFor<Builtin::kStringEqual>::type;
   UseFixed(target_input(), D::GetRegisterParameter(D::kLeft));
@@ -7654,11 +7630,6 @@ void TransitionElementsKindOrCheckMap::PrintParams(
   os << "]-->" << *transition_target().object() << ")";
 }
 
-void CheckFloat64IsNan::PrintParams(std::ostream& os,
-                                    MaglevGraphLabeller* graph_labeller) const {
-  os << "(" << DeoptimizeReasonToString(deoptimize_reason()) << ")";
-}
-
 void CheckDynamicValue::PrintParams(std::ostream& os,
                                     MaglevGraphLabeller* graph_labeller) const {
   os << "(" << DeoptimizeReasonToString(deoptimize_reason()) << ")";
@@ -7676,10 +7647,10 @@ void CheckValueEqualsInt32::PrintParams(
      << ")";
 }
 
-void CheckValueEqualsFloat64::PrintParams(
+void CheckFloat64SameValue::PrintParams(
     std::ostream& os, MaglevGraphLabeller* graph_labeller) const {
-  os << "(" << value() << ", " << DeoptimizeReasonToString(deoptimize_reason())
-     << ")";
+  os << "(" << value().get_scalar() << ", "
+     << DeoptimizeReasonToString(deoptimize_reason()) << ")";
 }
 
 void CheckValueEqualsString::PrintParams(
diff --git a/src/maglev/maglev-ir.h b/src/maglev/maglev-ir.h
@@ -328,7 +328,6 @@ class ExceptionHandlerInfo;
   V(CheckHeapObject)                          \
   V(CheckInt32Condition)                      \
   V(CheckCacheIndicesNotCleared)              \
-  V(CheckFloat64IsNan)                        \
   V(CheckJSDataViewBounds)                    \
   V(CheckTypedArrayBounds)                    \
   V(CheckTypedArrayNotDetached)               \
@@ -347,7 +346,7 @@ class ExceptionHandlerInfo;
   V(CheckSymbol)                              \
   V(CheckValue)                               \
   V(CheckValueEqualsInt32)                    \
-  V(CheckValueEqualsFloat64)                  \
+  V(CheckFloat64SameValue)                    \
   V(CheckValueEqualsString)                   \
   V(CheckInstanceType)                        \
   V(Dead)                                     \
@@ -6663,22 +6662,19 @@ class CheckValueEqualsInt32 : public FixedInputNodeT<1, CheckValueEqualsInt32> {
   const int32_t value_;
 };
 
-class CheckValueEqualsFloat64
-    : public FixedInputNodeT<1, CheckValueEqualsFloat64> {
-  using Base = FixedInputNodeT<1, CheckValueEqualsFloat64>;
+class CheckFloat64SameValue : public FixedInputNodeT<1, CheckFloat64SameValue> {
+  using Base = FixedInputNodeT<1, CheckFloat64SameValue>;
 
  public:
-  explicit CheckValueEqualsFloat64(uint64_t bitfield, Float64 value,
-                                   DeoptimizeReason reason)
-      : Base(bitfield | ReasonField::encode(reason)), value_(value) {
-    DCHECK(!value.is_nan());
-  }
+  explicit CheckFloat64SameValue(uint64_t bitfield, Float64 value,
+                                 DeoptimizeReason reason)
+      : Base(bitfield | ReasonField::encode(reason)), value_(value) {}
 
   static constexpr OpProperties kProperties = OpProperties::EagerDeopt();
   static constexpr
       typename Base::InputTypes kInputTypes{ValueRepresentation::kFloat64};
 
-  double value() const { return value_.get_scalar(); }
+  Float64 value() const { return value_; }
 
   static constexpr int kTargetIndex = 0;
   Input& target_input() { return input(kTargetIndex); }
@@ -6695,29 +6691,6 @@ class CheckValueEqualsFloat64
   const Float64 value_;
 };
 
-class CheckFloat64IsNan : public FixedInputNodeT<1, CheckFloat64IsNan> {
-  using Base = FixedInputNodeT<1, CheckFloat64IsNan>;
-
- public:
-  explicit CheckFloat64IsNan(uint64_t bitfield, DeoptimizeReason reason)
-      : Base(bitfield | ReasonField::encode(reason)) {}
-
-  static constexpr OpProperties kProperties = OpProperties::EagerDeopt();
-  static constexpr
-      typename Base::InputTypes kInputTypes{ValueRepresentation::kFloat64};
-
-  static constexpr int kTargetIndex = 0;
-  Input& target_input() { return input(kTargetIndex); }
-
-  void SetValueLocationConstraints();
-  void GenerateCode(MaglevAssembler*, const ProcessingState&);
-  void PrintParams(std::ostream&, MaglevGraphLabeller*) const;
-
-  auto options() const { return std::tuple{deoptimize_reason()}; }
-
-  DEOPTIMIZE_REASON_FIELD
-};
-
 class CheckValueEqualsString
     : public FixedInputNodeT<1, CheckValueEqualsString> {
   using Base = FixedInputNodeT<1, CheckValueEqualsString>;
diff --git a/src/maglev/x64/maglev-ir-x64.cc b/src/maglev/x64/maglev-ir-x64.cc
@@ -136,6 +136,29 @@ void CheckedIntPtrToInt32::GenerateCode(MaglevAssembler* masm,
   __ EmitEagerDeoptIf(not_equal, DeoptimizeReason::kNotInt32, this);
 }
 
+void CheckFloat64SameValue::SetValueLocationConstraints() {
+  UseRegister(target_input());
+}
+void CheckFloat64SameValue::GenerateCode(MaglevAssembler* masm,
+                                         const ProcessingState& state) {
+  Label* fail = __ GetDeoptLabel(this, deoptimize_reason());
+  MaglevAssembler::TemporaryRegisterScope temps(masm);
+  DoubleRegister double_scratch = temps.AcquireScratchDouble();
+  DoubleRegister target = ToDoubleRegister(target_input());
+  if (value().is_nan()) {
+    __ JumpIfNotNan(target, fail);
+  } else {
+    __ Move(double_scratch, value());
+    __ CompareFloat64AndJumpIf(double_scratch, target, kNotEqual, fail, fail);
+    if (value().get_scalar() == 0) {  // If value is +0.0 or -0.0.
+      Register scratch = temps.AcquireScratch();
+      __ movq(scratch, target);
+      __ testq(scratch, scratch);
+      __ JumpIf(value().get_bits() == 0 ? kNotEqual : kEqual, fail);
+    }
+  }
+}
+
 int BuiltinStringFromCharCode::MaxCallStackArgs() const {
   return AllocateDescriptor::GetStackParameterCount();
 }
diff --git a/test/mjsunit/maglev/regress-406043356.js b/test/mjsunit/maglev/regress-406043356.js
@@ -0,0 +1,57 @@
+// Copyright 2025 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --maglev
+
+(function() {
+  function foo(a) {
+    v = a % a;
+    return 1 / v;
+  }
+  %PrepareFunctionForOptimization(foo);
+  // Ensures global {v} has constant cell -0.
+  foo(-1);
+  foo(-1);
+  // Ensures we deopt when comparing 0 to -0.
+  %OptimizeFunctionOnNextCall(foo);
+  assertEquals(Infinity, foo(1));
+  assertFalse(isOptimized(foo));
+})();
+
+(function() {
+  function foo(a) {
+    w = a % a;
+    return 1 / w;
+  }
+  %PrepareFunctionForOptimization(foo);
+  // Ensures global {w} has constant cell 0.
+  foo(1);
+  foo(1);
+  // Ensures we deopt when comparing 0 to -0.
+  %OptimizeFunctionOnNextCall(foo);
+  assertEquals(-Infinity, foo(-1));
+  assertFalse(isOptimized(foo));
+})();
+
+(function() {
+  let ab = new ArrayBuffer(16);
+  let int32view = new Int32Array(ab);
+  int32view[1] = 0x7FFF_FFFF;
+  int32view[0] = 0x0000_0000;
+  int32view[3] = 0x7FFF_FFFF;
+  int32view[2] = 0x0000_0001;
+  let float64view = new Float64Array(ab);
+  function foo(a) {
+    vvv = a;
+  }
+  %PrepareFunctionForOptimization(foo);
+  foo(float64view[0]);
+  foo(float64view[0]);
+
+  %OptimizeFunctionOnNextCall(foo);
+  // Ensures we don't deopt if we use a different NaN bit
+  // representation.
+  foo(float64view[1]);
+  assertTrue(isOptimized(foo));
+})();
diff --git a/test/mjsunit/maglev/regress-cse.js b/test/mjsunit/maglev/regress-cse.js
@@ -4,7 +4,7 @@
 //
 // Flags: --maglev --allow-natives-syntax --maglev-cse
 
-// CheckValueEqualsFloat64 with NaN
+// CheckFloat64SameValue with NaN
 const o22 = {
 };
 let v34 = o22.__proto__;

Original file line number	Diff line number	Diff line change
`@@ -4715,8 +4715,8 @@ class TurboshaftAssemblerOpInterface`
`4715`	`4715`	`return ReduceIfReachableSameValue(left, right, mode);`
`4716`	`4716`	`}`
`4717`	`4717`
`4718`		`- V<Word32> Float64SameValue(V<Float64> left, V<Float64> right) {`
`4719`		`- return ReduceIfReachableFloat64SameValue(left, right);`
	`4718`	`+ V<Word32> Float64SameValue(ConstOrV<Float64> left, ConstOrV<Float64> right) {`
	`4719`	`+ return ReduceIfReachableFloat64SameValue(resolve(left), resolve(right));`
`4720`	`4720`	`}`
`4721`	`4721`
`4722`	`4722`	`OpIndex FastApiCall(V<turboshaft::FrameState> frame_state,`