Commit 7c7cdec5 authored by Nico Hartmann's avatar Nico Hartmann Committed by Commit Bot

[TurboFan] Fix SpeculativeNumberEqual[Number] with undefined

Bug: chromium:1198309, v8:5660
Change-Id: I9cb5f66643c0c0ab9b18ca953cf85d2f6aa84b42
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2827899Reviewed-by: 's avatarGeorg Neis <neis@chromium.org>
Commit-Queue: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#74038}
parent cb97b380
...@@ -211,7 +211,10 @@ Node* RepresentationChanger::GetRepresentationFor( ...@@ -211,7 +211,10 @@ Node* RepresentationChanger::GetRepresentationFor(
return GetFloat32RepresentationFor(node, output_rep, output_type, return GetFloat32RepresentationFor(node, output_rep, output_type,
use_info.truncation()); use_info.truncation());
case MachineRepresentation::kFloat64: case MachineRepresentation::kFloat64:
DCHECK_NE(TypeCheckKind::kBigInt, use_info.type_check()); DCHECK(use_info.type_check() == TypeCheckKind::kNone ||
use_info.type_check() == TypeCheckKind::kNumber ||
use_info.type_check() == TypeCheckKind::kNumberOrBoolean ||
use_info.type_check() == TypeCheckKind::kNumberOrOddball);
return GetFloat64RepresentationFor(node, output_rep, output_type, return GetFloat64RepresentationFor(node, output_rep, output_type,
use_node, use_info); use_node, use_info);
case MachineRepresentation::kBit: case MachineRepresentation::kBit:
...@@ -729,15 +732,22 @@ Node* RepresentationChanger::GetFloat64RepresentationFor( ...@@ -729,15 +732,22 @@ Node* RepresentationChanger::GetFloat64RepresentationFor(
} }
} else if (IsAnyTagged(output_rep)) { } else if (IsAnyTagged(output_rep)) {
if (output_type.Is(Type::Undefined())) { if (output_type.Is(Type::Undefined())) {
if (use_info.type_check() == TypeCheckKind::kNumberOrBoolean) { if (use_info.type_check() == TypeCheckKind::kNumberOrOddball ||
(use_info.type_check() == TypeCheckKind::kNone &&
use_info.truncation().TruncatesOddballAndBigIntToNumber())) {
return jsgraph()->Float64Constant(
std::numeric_limits<double>::quiet_NaN());
} else {
DCHECK(use_info.type_check() == TypeCheckKind::kNone ||
use_info.type_check() == TypeCheckKind::kNumber ||
use_info.type_check() == TypeCheckKind::kNumberOrBoolean);
Node* unreachable = InsertUnconditionalDeopt( Node* unreachable = InsertUnconditionalDeopt(
use_node, DeoptimizeReason::kNotANumberOrBoolean); use_node, use_info.type_check() == TypeCheckKind::kNumber
? DeoptimizeReason::kNotANumber
: DeoptimizeReason::kNotANumberOrBoolean);
return jsgraph()->graph()->NewNode( return jsgraph()->graph()->NewNode(
jsgraph()->common()->DeadValue(MachineRepresentation::kFloat64), jsgraph()->common()->DeadValue(MachineRepresentation::kFloat64),
unreachable); unreachable);
} else {
return jsgraph()->Float64Constant(
std::numeric_limits<double>::quiet_NaN());
} }
} else if (output_rep == MachineRepresentation::kTaggedSigned) { } else if (output_rep == MachineRepresentation::kTaggedSigned) {
node = InsertChangeTaggedSignedToInt32(node); node = InsertChangeTaggedSignedToInt32(node);
...@@ -749,12 +759,13 @@ Node* RepresentationChanger::GetFloat64RepresentationFor( ...@@ -749,12 +759,13 @@ Node* RepresentationChanger::GetFloat64RepresentationFor(
output_type.Is(Type::NumberOrHole())) { output_type.Is(Type::NumberOrHole())) {
// JavaScript 'null' is an Oddball that results in +0 when truncated to // JavaScript 'null' is an Oddball that results in +0 when truncated to
// Number. In a context like -0 == null, which must evaluate to false, // Number. In a context like -0 == null, which must evaluate to false,
// this truncation must not happen. For this reason we restrict this case // this truncation must not happen. For this reason we restrict this
// to when either the user explicitly requested a float (and thus wants // case to when either the user explicitly requested a float (and thus
// +0 if null is the input) or we know from the types that the input can // wants +0 if null is the input) or we know from the types that the
// only be Number | Hole. The latter is necessary to handle the operator // input can only be Number | Hole. The latter is necessary to handle
// CheckFloat64Hole. We did not put in the type (Number | Oddball \ Null) // the operator CheckFloat64Hole. We did not put in the type (Number |
// to discover more bugs related to this conversion via crashes. // Oddball \ Null) to discover more bugs related to this conversion via
// crashes.
op = simplified()->TruncateTaggedToFloat64(); op = simplified()->TruncateTaggedToFloat64();
} else if (use_info.type_check() == TypeCheckKind::kNumber || } else if (use_info.type_check() == TypeCheckKind::kNumber ||
(use_info.type_check() == TypeCheckKind::kNumberOrOddball && (use_info.type_check() == TypeCheckKind::kNumberOrOddball &&
......
...@@ -44,6 +44,7 @@ namespace internal { ...@@ -44,6 +44,7 @@ namespace internal {
V(NotAJavaScriptObject, "not a JavaScript object") \ V(NotAJavaScriptObject, "not a JavaScript object") \
V(NotAJavaScriptObjectOrNullOrUndefined, \ V(NotAJavaScriptObjectOrNullOrUndefined, \
"not a JavaScript object, Null or Undefined") \ "not a JavaScript object, Null or Undefined") \
V(NotANumber, "not a Number") \
V(NotANumberOrBoolean, "not a Number or Boolean") \ V(NotANumberOrBoolean, "not a Number or Boolean") \
V(NotANumberOrOddball, "not a Number or Oddball") \ V(NotANumberOrOddball, "not a Number or Oddball") \
V(NotAnArrayIndex, "not an array index") \ V(NotAnArrayIndex, "not an array index") \
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment