[TurboFan] Fix SpeculativeNumberEqual[Number] with undefined

Bug: chromium:1198309, v8:5660 Change-Id: I9cb5f66643c0c0ab9b18ca953cf85d2f6aa84b42 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827899Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#74038}

[TurboFan] Fix SpeculativeNumberEqual[Number] with undefined
Bug: chromium:1198309, v8:5660 Change-Id: I9cb5f66643c0c0ab9b18ca953cf85d2f6aa84b42 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827899Reviewed-by: Georg Neis <neis@chromium.org> Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Cr-Commit-Position: refs/heads/master@{#74038}
7c7cdec5 · Nico Hartmann · Commit Bot · cb97b380 · 7c7cdec5 · 7c7cdec5
Commit 7c7cdec5 authored Apr 19, 2021 by Nico Hartmann Committed by Commit Bot Apr 19, 2021
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 12 deletions

representation-change.cc src/compiler/representation-change.cc +23 -12

deoptimize-reason.h src/deoptimizer/deoptimize-reason.h +1 -0

No files found.
--- a/src/compiler/representation-change.cc
+++ b/src/compiler/representation-change.cc
@@ -211,7 +211,10 @@ Node* RepresentationChanger::GetRepresentationFor(
      return GetFloat32RepresentationFor(node, output_rep, output_type,
                                         use_info.truncation());
    case MachineRepresentation::kFloat64:
-      DCHECK_NE(TypeCheckKind::kBigInt, use_info.type_check());
+      DCHECK(use_info.type_check() == TypeCheckKind::kNone ||
+             use_info.type_check() == TypeCheckKind::kNumber ||
+             use_info.type_check() == TypeCheckKind::kNumberOrBoolean ||
+             use_info.type_check() == TypeCheckKind::kNumberOrOddball);
      return GetFloat64RepresentationFor(node, output_rep, output_type,
                                         use_node, use_info);
    case MachineRepresentation::kBit:
@@ -729,15 +732,22 @@ Node* RepresentationChanger::GetFloat64RepresentationFor(
    }
  } else if (IsAnyTagged(output_rep)) {
    if (output_type.Is(Type::Undefined())) {
-      if (use_info.type_check() == TypeCheckKind::kNumberOrBoolean) {
+      if (use_info.type_check() == TypeCheckKind::kNumberOrOddball ||
+          (use_info.type_check() == TypeCheckKind::kNone &&
+           use_info.truncation().TruncatesOddballAndBigIntToNumber())) {
+        return jsgraph()->Float64Constant(
+            std::numeric_limits<double>::quiet_NaN());
+      } else {
+        DCHECK(use_info.type_check() == TypeCheckKind::kNone ||
+               use_info.type_check() == TypeCheckKind::kNumber ||
+               use_info.type_check() == TypeCheckKind::kNumberOrBoolean);
        Node* unreachable = InsertUnconditionalDeopt(
-            use_node, DeoptimizeReason::kNotANumberOrBoolean);
+            use_node, use_info.type_check() == TypeCheckKind::kNumber
+                          ? DeoptimizeReason::kNotANumber
+                          : DeoptimizeReason::kNotANumberOrBoolean);
        return jsgraph()->graph()->NewNode(
            jsgraph()->common()->DeadValue(MachineRepresentation::kFloat64),
            unreachable);
-      } else {
-        return jsgraph()->Float64Constant(
-            std::numeric_limits<double>::quiet_NaN());
      }
    } else if (output_rep == MachineRepresentation::kTaggedSigned) {
      node = InsertChangeTaggedSignedToInt32(node);
@@ -749,12 +759,13 @@ Node* RepresentationChanger::GetFloat64RepresentationFor(
               output_type.Is(Type::NumberOrHole())) {
      // JavaScript 'null' is an Oddball that results in +0 when truncated to
      // Number. In a context like -0 == null, which must evaluate to false,
-      // this truncation must not happen. For this reason we restrict this case
-      // to when either the user explicitly requested a float (and thus wants
-      // +0 if null is the input) or we know from the types that the input can
-      // only be Number | Hole. The latter is necessary to handle the operator
-      // CheckFloat64Hole. We did not put in the type (Number | Oddball \ Null)
-      // to discover more bugs related to this conversion via crashes.
+      // this truncation must not happen. For this reason we restrict this
+      // case to when either the user explicitly requested a float (and thus
+      // wants +0 if null is the input) or we know from the types that the
+      // input can only be Number | Hole. The latter is necessary to handle
+      // the operator CheckFloat64Hole. We did not put in the type (Number |
+      // Oddball \ Null) to discover more bugs related to this conversion via
+      // crashes.
      op = simplified()->TruncateTaggedToFloat64();
    } else if (use_info.type_check() == TypeCheckKind::kNumber ||
               (use_info.type_check() == TypeCheckKind::kNumberOrOddball &&

--- a/src/deoptimizer/deoptimize-reason.h
+++ b/src/deoptimizer/deoptimize-reason.h
@@ -44,6 +44,7 @@ namespace internal {
  V(NotAJavaScriptObject, "not a JavaScript object")                           \
  V(NotAJavaScriptObjectOrNullOrUndefined,                                     \
    "not a JavaScript object, Null or Undefined")                              \
+  V(NotANumber, "not a Number")                                                \
  V(NotANumberOrBoolean, "not a Number or Boolean")                            \
  V(NotANumberOrOddball, "not a Number or Oddball")                            \
  V(NotAnArrayIndex, "not an array index")                                     \