[compiler] Fix bug in representation changer.

We must not accept something of kBit representation as of
kWord32 representation (unless it's truncated accordingly).
Deopt instead.

Bug: v8:7740
Change-Id: Ib4f73600d66f8762a6e22f7ea1ce79e8ef451b34
Reviewed-on: https://chromium-review.googlesource.com/1054670
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Cr-Commit-Position: refs/heads/master@{#53144}

src/compiler/representation-change.cc

@@ -607,6 +607,16 @@ Node* RepresentationChanger::MakeTruncatedInt32Constant(double value) {
   return jsgraph()->Int32Constant(DoubleToInt32(value));
 }
 
+void RepresentationChanger::InsertUnconditionalDeopt(Node* node,
+                                                     DeoptimizeReason reason) {
+  Node* effect = NodeProperties::GetEffectInput(node);
+  Node* control = NodeProperties::GetControlInput(node);
+  Node* deopt =
+      jsgraph()->graph()->NewNode(simplified()->CheckIf(reason),
+                                  jsgraph()->Int32Constant(0), effect, control);
+  NodeProperties::ReplaceEffectInput(node, deopt);
+}
+
 Node* RepresentationChanger::GetWord32RepresentationFor(
     Node* node, MachineRepresentation output_rep, Type output_type,
     Node* use_node, UseInfo use_info) {
@@ -638,7 +648,17 @@ Node* RepresentationChanger::GetWord32RepresentationFor(
     return jsgraph()->graph()->NewNode(
         jsgraph()->common()->DeadValue(MachineRepresentation::kWord32), node);
   } else if (output_rep == MachineRepresentation::kBit) {
-    return node;  // Sloppy comparison -> word32
+    CHECK(output_type.Is(Type::Boolean()));
+    if (use_info.truncation().IsUsedAsWord32()) {
+      return node;
+    } else {
+      CHECK(Truncation::Any(kIdentifyZeros)
+                .IsLessGeneralThan(use_info.truncation()));
+      CHECK_NE(use_info.type_check(), TypeCheckKind::kNone);
+      InsertUnconditionalDeopt(use_node, DeoptimizeReason::kNotASmi);
+      return jsgraph()->graph()->NewNode(
+          jsgraph()->common()->DeadValue(MachineRepresentation::kWord32), node);
+    }
   } else if (output_rep == MachineRepresentation::kFloat64) {
     if (output_type.Is(Type::Signed32())) {
       op = machine()->ChangeFloat64ToInt32();

src/compiler/representation-change.h

@@ -337,8 +337,8 @@ class RepresentationChanger final {
   Node* InsertChangeTaggedSignedToInt32(Node* node);
   Node* InsertChangeTaggedToFloat64(Node* node);
   Node* InsertChangeUint32ToFloat64(Node* node);
-
   Node* InsertConversion(Node* node, const Operator* op, Node* use_node);
+  void InsertUnconditionalDeopt(Node* node, DeoptimizeReason reason);
 
   JSGraph* jsgraph() const { return jsgraph_; }
   Isolate* isolate() const { return isolate_; }

test/mjsunit/regress/regress-7740.js

+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+var x = 0;
+x = 42;
+
+function foo(a, b) {
+  let y = a < a;
+  if (b) x = y;
+}
+
+foo(1, false);
+foo(1, false);
+%OptimizeFunctionOnNextCall(foo);
+foo(1, true);