[turbofan] Fixes undefined in BigInt operations

When the input to a speculative BigInt operation was an undefined constant, no necessary type check was inserted by the RepresentationChanger. This CL fixes this. Bug: chromium:1077804 Change-Id: I3d4e15b1e018803d56e46c7b23b9d4b03832ba8a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2182455 Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#67610}

[turbofan] Fixes undefined in BigInt operations
When the input to a speculative BigInt operation was an undefined constant, no necessary type check was inserted by the RepresentationChanger. This CL fixes this. Bug: chromium:1077804 Change-Id: I3d4e15b1e018803d56e46c7b23b9d4b03832ba8a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2182455 Commit-Queue: Nico Hartmann <nicohartmann@chromium.org> Reviewed-by: Maya Lekova <mslekova@chromium.org> Cr-Commit-Position: refs/heads/master@{#67610}
adc2b643 · Nico Hartmann · Commit Bot · 58b12f63 · adc2b643 · adc2b643
Commit adc2b643 authored May 06, 2020 by Nico Hartmann Committed by Commit Bot May 06, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 1 deletion

representation-change.cc src/compiler/representation-change.cc +15 -1

regress-1077804.js test/mjsunit/regress/regress-1077804.js +21 -0

No files found.
--- a/src/compiler/representation-change.cc
+++ b/src/compiler/representation-change.cc
@@ -170,7 +170,12 @@ Node* RepresentationChanger::GetRepresentationFor(

  // Handle the no-op shortcuts when no checking is necessary.
  if (use_info.type_check() == TypeCheckKind::kNone ||
-      output_rep != MachineRepresentation::kWord32) {
+      // TODO(nicohartmann@, chromium:1077804): Ignoring {use_info.type_check()}
+      // in case the representation already matches is not correct. For now,
+      // this behavior is disabled only for TypeCheckKind::kBigInt, but should
+      // be fixed for all other type checks.
+      (output_rep != MachineRepresentation::kWord32 &&
+       use_info.type_check() != TypeCheckKind::kBigInt)) {
    if (use_info.representation() == output_rep) {
      // Representations are the same. That's a no-op.
      return node;
@@ -381,6 +386,7 @@ Node* RepresentationChanger::GetTaggedPointerRepresentationFor(
  switch (node->opcode()) {
    case IrOpcode::kHeapConstant:
    case IrOpcode::kDelayedStringConstant:
+      if (use_info.type_check() == TypeCheckKind::kBigInt) break;
      return node;  // No change necessary.
    case IrOpcode::kInt32Constant:
    case IrOpcode::kFloat64Constant:
@@ -1160,6 +1166,14 @@ Node* RepresentationChanger::GetWord64RepresentationFor(
      return TypeError(node, output_rep, output_type,
                       MachineRepresentation::kWord64);
    }
+  } else if (output_rep == MachineRepresentation::kWord64) {
+    DCHECK_EQ(use_info.type_check(), TypeCheckKind::kBigInt);
+    if (output_type.Is(Type::BigInt())) {
+      return node;
+    } else {
+      return TypeError(node, output_rep, output_type,
+                       MachineRepresentation::kWord64);
+    }
  } else {
    return TypeError(node, output_rep, output_type,
                     MachineRepresentation::kWord64);

--- a/test/mjsunit/regress/regress-1077804.js
+++ b/test/mjsunit/regress/regress-1077804.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --opt --no-always-opt --no-stress-opt
+
+function foo() {
+  return bar();
+}
+
+function bar(a, b) {
+  return a + b;
+}
+
+%PrepareFunctionForOptimization(foo);
+foo();
+%OptimizeFunctionOnNextCall(foo);
+%PrepareFunctionForOptimization(bar);
+%OptimizeFunctionOnNextCall(bar);
+bar(2n, 2n);
+assertTrue(Number.isNaN(foo()));