Fix typing of binary operators on BigInt.

BinaryNumberOpTyper was not monotonic: if one input changes
from Number to Numeric, while the other input stays BigInt,
the result would change from Number to BigInt.

We have some fuzzing tests for monotonicity but unfortunately
they never generated the inputs required for triggering this bug.
We'll look into improving our tests.

Bug: v8:8380
Change-Id: I7320d9ae4b89ad8798bf9e97cc272edba2162a77
Reviewed-on: https://chromium-review.googlesource.com/c/1307418
Commit-Queue: Hai Dang <dhai@google.com>
Reviewed-by: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#57125}

src/compiler/typer.cc

@@ -406,10 +406,12 @@ Type Typer::Visitor::BinaryNumberOpTyper(Type lhs, Type rhs, Typer* t,
   if (lhs_is_number && rhs_is_number) {
     return f(lhs, rhs, t);
   }
-  if (lhs_is_number || rhs_is_number) {
+  // In order to maintain monotonicity, the following two conditions are
+  // intentionally asymmetric.
+  if (lhs_is_number) {
     return Type::Number();
   }
-  if (lhs.Is(Type::BigInt()) || rhs.Is(Type::BigInt())) {
+  if (lhs.Is(Type::BigInt())) {
     return Type::BigInt();
   }
   return Type::Numeric();

test/mjsunit/compiler/regress-8380.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function reduceLHS() {
+  for (var i = 0; i < 2 ;i++) {
+    let [q, r] = [1n, 1n];
+    r = r - 1n;
+    q += 1n;
+    q = r;
+  }
+}
+
+reduceLHS();
+%OptimizeFunctionOnNextCall(reduceLHS);
+reduceLHS();
+
+
+function reduceRHS() {
+  for (var i = 0; i < 2 ;i++) {
+    let [q, r] = [1n, 1n];
+    r = 1n - r;
+    q += 1n;
+    q = r;
+  }
+}
+
+reduceRHS();
+%OptimizeFunctionOnNextCall(reduceRHS);
+reduceRHS();