[compiler] Fix bug in SimplifiedLowering's overflow computation

It's unsound to ignore -0 inputs: -0 - INT32_MIN is outside of INT32 range. Bug: chromium:1126249 Change-Id: I3b92f16c1201705780acb0359975329aa2ca34d1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2404452Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#69877}

[compiler] Fix bug in SimplifiedLowering's overflow computation
It's unsound to ignore -0 inputs: -0 - INT32_MIN is outside of INT32 range. Bug: chromium:1126249 Change-Id: I3b92f16c1201705780acb0359975329aa2ca34d1 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2404452Reviewed-by: Tobias Tebbi <tebbi@chromium.org> Commit-Queue: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/heads/master@{#69877}
e371325b · Georg Neis · Commit Bot · 71736859 · e371325b · e371325b
Commit e371325b authored Sep 11, 2020 by Georg Neis Committed by Commit Bot Sep 14, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 34 additions and 5 deletions

simplified-lowering.cc src/compiler/simplified-lowering.cc +12 -5

regress-1126249.js test/mjsunit/compiler/regress-1126249.js +22 -0

No files found.
--- a/src/compiler/simplified-lowering.cc
+++ b/src/compiler/simplified-lowering.cc
@@ -183,10 +183,16 @@ void ReplaceEffectControlUses(Node* node, Node* effect, Node* control) {
 }

 bool CanOverflowSigned32(const Operator* op, Type left, Type right,
-                         Zone* type_zone) {
-  // We assume the inputs are checked Signed32 (or known statically
-  // to be Signed32). Technically, the inputs could also be minus zero, but
-  // that cannot cause overflow.
+                         TypeCache const* type_cache, Zone* type_zone) {
+  // We assume the inputs are checked Signed32 (or known statically to be
+  // Signed32). Technically, the inputs could also be minus zero, which we treat
+  // as 0 for the purpose of this function.
+  if (left.Maybe(Type::MinusZero())) {
+    left = Type::Union(left, type_cache->kSingletonZero, type_zone);
+  }
+  if (right.Maybe(Type::MinusZero())) {
+    right = Type::Union(right, type_cache->kSingletonZero, type_zone);
+  }
  left = Type::Intersect(left, Type::Signed32(), type_zone);
  right = Type::Intersect(right, Type::Signed32(), type_zone);
  if (left.IsNone() || right.IsNone()) return false;
@@ -1484,7 +1490,8 @@ class RepresentationSelector {
    if (lower<T>()) {
      if (truncation.IsUsedAsWord32() ||
          !CanOverflowSigned32(node->op(), left_feedback_type,
-                               right_feedback_type, graph_zone())) {
+                               right_feedback_type, type_cache_,
+                               graph_zone())) {
        ChangeToPureOp(node, Int32Op(node));

      } else {

--- a/test/mjsunit/compiler/regress-1126249.js
+++ b/test/mjsunit/compiler/regress-1126249.js
+// Copyright 2020 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function foo(b) {
+  var x = -0;
+  var y = -0x80000000;
+
+  if (b) {
+    x = -1;
+    y = 1;
+  }
+
+  return (x - y) == -0x80000000;
+}
+
+%PrepareFunctionForOptimization(foo);
+assertFalse(foo(true));
+%OptimizeFunctionOnNextCall(foo);
+assertFalse(foo(false));