Merged: [compiler] Fix a bug in SimplifiedLowering

GeorgNeis · Commit Bot · commit c449afa1953b · 2021-01-19T15:26:00.000Z
Revision: ba1b2cc BUG=chromium:1150649 NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true (cherry picked from commit 966d0eb) Change-Id: Ic903e61ee00b7c240bed96633d1eab582c295308 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2557985 Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Original-Commit-Position: refs/branch-heads/8.8@{#10} Cr-Original-Branched-From: 2dbcdc1-refs/heads/8.8.278@{#1} Cr-Original-Branched-From: 366d30c-refs/heads/master@{#71094} Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2624749 Reviewed-by: Jana Grill <janagrill@chromium.org> Reviewed-by: Achuith Bhandarkar <achuith@chromium.org> Commit-Queue: Victor-Gabriel Savu <vsavu@google.com> Cr-Commit-Position: refs/branch-heads/8.6@{#52} Cr-Branched-From: a64aed2-refs/heads/8.6.395@{#1} Cr-Branched-From: a626bc0-refs/heads/master@{#69472}
diff --git a/src/compiler/simplified-lowering.cc b/src/compiler/simplified-lowering.cc
@@ -1408,7 +1408,6 @@ class RepresentationSelector {
                 IsSomePositiveOrderedNumber(input1_type)
             ? CheckForMinusZeroMode::kDontCheckForMinusZero
             : CheckForMinusZeroMode::kCheckForMinusZero;
-
     NodeProperties::ChangeOp(node, simplified()->CheckedInt32Mul(mz_mode));
   }
 
@@ -1452,6 +1451,13 @@ class RepresentationSelector {
 
     Type left_feedback_type = TypeOf(node->InputAt(0));
     Type right_feedback_type = TypeOf(node->InputAt(1));
+
+    // Using Signed32 as restriction type amounts to promising there won't be
+    // signed overflow. This is incompatible with relying on a Word32
+    // truncation in order to skip the overflow check.
+    Type const restriction =
+        truncation.IsUsedAsWord32() ? Type::Any() : Type::Signed32();
+
     // Handle the case when no int32 checks on inputs are necessary (but
     // an overflow check is needed on the output). Note that we do not
     // have to do any check if at most one side can be minus zero. For
@@ -1465,7 +1471,7 @@ class RepresentationSelector {
         right_upper.Is(Type::Signed32OrMinusZero()) &&
         (left_upper.Is(Type::Signed32()) || right_upper.Is(Type::Signed32()))) {
       VisitBinop<T>(node, UseInfo::TruncatingWord32(),
-                    MachineRepresentation::kWord32, Type::Signed32());
+                    MachineRepresentation::kWord32, restriction);
     } else {
       // If the output's truncation is identify-zeros, we can pass it
       // along. Moreover, if the operation is addition and we know the
@@ -1485,8 +1491,9 @@ class RepresentationSelector {
       UseInfo right_use = CheckedUseInfoAsWord32FromHint(hint, FeedbackSource(),
                                                          kIdentifyZeros);
       VisitBinop<T>(node, left_use, right_use, MachineRepresentation::kWord32,
-                    Type::Signed32());
+                    restriction);
     }
+
     if (lower<T>()) {
       if (truncation.IsUsedAsWord32() ||
           !CanOverflowSigned32(node->op(), left_feedback_type,
diff --git a/test/mjsunit/compiler/regress-1150649.js b/test/mjsunit/compiler/regress-1150649.js
@@ -0,0 +1,24 @@
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(a) {
+  var y = 0x7fffffff;  // 2^31 - 1
+
+  // Widen the static type of y (this condition never holds).
+  if (a == NaN) y = NaN;
+
+  // The next condition holds only in the warmup run. It leads to Smi
+  // (SignedSmall) feedback being collected for the addition below.
+  if (a) y = -1;
+
+  const z = (y + 1)|0;
+  return z < 0;
+}
+
+%PrepareFunctionForOptimization(foo);
+assertFalse(foo(true));
+%OptimizeFunctionOnNextCall(foo);
+assertTrue(foo(false));
