diff --git a/common.gypi b/common.gypi index ba444e1429f856..cb610f5f7409ed 100644 --- a/common.gypi +++ b/common.gypi @@ -33,7 +33,7 @@ # Reset this number to 0 on major V8 upgrades. # Increment by one for each non-official patch applied to deps/v8. - 'v8_embedder_string': '-node.46', + 'v8_embedder_string': '-node.47', # Enable disassembler for `--print-code` v8 options 'v8_enable_disassembler': 1, diff --git a/deps/v8/src/compiler/effect-control-linearizer.cc b/deps/v8/src/compiler/effect-control-linearizer.cc index d9554c06b5d785..0f1286abe7776b 100644 --- a/deps/v8/src/compiler/effect-control-linearizer.cc +++ b/deps/v8/src/compiler/effect-control-linearizer.cc @@ -773,6 +773,9 @@ bool EffectControlLinearizer::TryWireInStateEffect(Node* node, case IrOpcode::kObjectIsMinusZero: result = LowerObjectIsMinusZero(node); break; + case IrOpcode::kNumberIsMinusZero: + result = LowerNumberIsMinusZero(node); + break; case IrOpcode::kObjectIsNaN: result = LowerObjectIsNaN(node); break; @@ -2282,6 +2285,14 @@ Node* EffectControlLinearizer::LowerObjectIsSafeInteger(Node* node) { return done.PhiAt(0); } +namespace { + +const int64_t kMinusZeroBits = bit_cast(-0.0); +const int32_t kMinusZeroLoBits = static_cast(kMinusZeroBits); +const int32_t kMinusZeroHiBits = static_cast(kMinusZeroBits >> 32); + +} // namespace + Node* EffectControlLinearizer::LowerObjectIsMinusZero(Node* node) { Node* value = node->InputAt(0); Node* zero = __ Int32Constant(0); @@ -2298,15 +2309,43 @@ Node* EffectControlLinearizer::LowerObjectIsMinusZero(Node* node) { // Check if {value} contains -0. Node* value_value = __ LoadField(AccessBuilder::ForHeapNumberValue(), value); - __ Goto(&done, - __ Float64Equal( - __ Float64Div(__ Float64Constant(1.0), value_value), - __ Float64Constant(-std::numeric_limits::infinity()))); + if (machine()->Is64()) { + Node* value64 = __ BitcastFloat64ToInt64(value_value); + __ Goto(&done, __ Word64Equal(value64, __ Int64Constant(kMinusZeroBits))); + } else { + Node* value_lo = __ Float64ExtractLowWord32(value_value); + __ GotoIfNot(__ Word32Equal(value_lo, __ Int32Constant(kMinusZeroLoBits)), + &done, zero); + Node* value_hi = __ Float64ExtractHighWord32(value_value); + __ Goto(&done, + __ Word32Equal(value_hi, __ Int32Constant(kMinusZeroHiBits))); + } __ Bind(&done); return done.PhiAt(0); } +Node* EffectControlLinearizer::LowerNumberIsMinusZero(Node* node) { + Node* value = node->InputAt(0); + + if (machine()->Is64()) { + Node* value64 = __ BitcastFloat64ToInt64(value); + return __ Word64Equal(value64, __ Int64Constant(kMinusZeroBits)); + } else { + auto done = __ MakeLabel(MachineRepresentation::kBit); + + Node* value_lo = __ Float64ExtractLowWord32(value); + __ GotoIfNot(__ Word32Equal(value_lo, __ Int32Constant(kMinusZeroLoBits)), + &done, __ Int32Constant(0)); + Node* value_hi = __ Float64ExtractHighWord32(value); + __ Goto(&done, + __ Word32Equal(value_hi, __ Int32Constant(kMinusZeroHiBits))); + + __ Bind(&done); + return done.PhiAt(0); + } +} + Node* EffectControlLinearizer::LowerObjectIsNaN(Node* node) { Node* value = node->InputAt(0); Node* zero = __ Int32Constant(0); diff --git a/deps/v8/src/compiler/effect-control-linearizer.h b/deps/v8/src/compiler/effect-control-linearizer.h index 870208dbea97c4..bf0e204a34858a 100644 --- a/deps/v8/src/compiler/effect-control-linearizer.h +++ b/deps/v8/src/compiler/effect-control-linearizer.h @@ -98,6 +98,7 @@ class V8_EXPORT_PRIVATE EffectControlLinearizer { Node* LowerObjectIsConstructor(Node* node); Node* LowerObjectIsDetectableCallable(Node* node); Node* LowerObjectIsMinusZero(Node* node); + Node* LowerNumberIsMinusZero(Node* node); Node* LowerObjectIsNaN(Node* node); Node* LowerNumberIsNaN(Node* node); Node* LowerObjectIsNonCallable(Node* node); diff --git a/deps/v8/src/compiler/opcodes.h b/deps/v8/src/compiler/opcodes.h index f84598e3fd598c..b3846c91711b2e 100644 --- a/deps/v8/src/compiler/opcodes.h +++ b/deps/v8/src/compiler/opcodes.h @@ -400,6 +400,7 @@ V(ObjectIsConstructor) \ V(ObjectIsDetectableCallable) \ V(ObjectIsMinusZero) \ + V(NumberIsMinusZero) \ V(ObjectIsNaN) \ V(NumberIsNaN) \ V(ObjectIsNonCallable) \ diff --git a/deps/v8/src/compiler/simplified-lowering.cc b/deps/v8/src/compiler/simplified-lowering.cc index f24f000887d502..32c58adb532883 100644 --- a/deps/v8/src/compiler/simplified-lowering.cc +++ b/deps/v8/src/compiler/simplified-lowering.cc @@ -2845,17 +2845,7 @@ class RepresentationSelector { VisitUnop(node, UseInfo::TruncatingFloat64(), MachineRepresentation::kBit); if (lower()) { - // ObjectIsMinusZero(x:kRepFloat64) - // => Float64Equal(Float64Div(1.0,x),-Infinity) - Node* const input = node->InputAt(0); - node->ReplaceInput( - 0, jsgraph_->graph()->NewNode( - lowering->machine()->Float64Div(), - lowering->jsgraph()->Float64Constant(1.0), input)); - node->AppendInput(jsgraph_->zone(), - jsgraph_->Float64Constant( - -std::numeric_limits::infinity())); - NodeProperties::ChangeOp(node, lowering->machine()->Float64Equal()); + NodeProperties::ChangeOp(node, simplified()->NumberIsMinusZero()); } } else { VisitUnop(node, UseInfo::AnyTagged(), MachineRepresentation::kBit); diff --git a/deps/v8/src/compiler/simplified-operator.cc b/deps/v8/src/compiler/simplified-operator.cc index 8b64eb566e6b5a..698773a49dbb06 100644 --- a/deps/v8/src/compiler/simplified-operator.cc +++ b/deps/v8/src/compiler/simplified-operator.cc @@ -721,6 +721,7 @@ bool operator==(CheckMinusZeroParameters const& lhs, V(ObjectIsConstructor, Operator::kNoProperties, 1, 0) \ V(ObjectIsDetectableCallable, Operator::kNoProperties, 1, 0) \ V(ObjectIsMinusZero, Operator::kNoProperties, 1, 0) \ + V(NumberIsMinusZero, Operator::kNoProperties, 1, 0) \ V(ObjectIsNaN, Operator::kNoProperties, 1, 0) \ V(NumberIsNaN, Operator::kNoProperties, 1, 0) \ V(ObjectIsNonCallable, Operator::kNoProperties, 1, 0) \ diff --git a/deps/v8/src/compiler/simplified-operator.h b/deps/v8/src/compiler/simplified-operator.h index 62e7f73bfab529..267d8e44bab8c2 100644 --- a/deps/v8/src/compiler/simplified-operator.h +++ b/deps/v8/src/compiler/simplified-operator.h @@ -662,6 +662,7 @@ class V8_EXPORT_PRIVATE SimplifiedOperatorBuilder final const Operator* ObjectIsConstructor(); const Operator* ObjectIsDetectableCallable(); const Operator* ObjectIsMinusZero(); + const Operator* NumberIsMinusZero(); const Operator* ObjectIsNaN(); const Operator* NumberIsNaN(); const Operator* ObjectIsNonCallable(); diff --git a/deps/v8/src/compiler/typer.cc b/deps/v8/src/compiler/typer.cc index 29f6f0230d8ad5..c9e9410cbf7fc9 100644 --- a/deps/v8/src/compiler/typer.cc +++ b/deps/v8/src/compiler/typer.cc @@ -289,6 +289,7 @@ class Typer::Visitor : public Reducer { static Type ObjectIsConstructor(Type, Typer*); static Type ObjectIsDetectableCallable(Type, Typer*); static Type ObjectIsMinusZero(Type, Typer*); + static Type NumberIsMinusZero(Type, Typer*); static Type ObjectIsNaN(Type, Typer*); static Type NumberIsNaN(Type, Typer*); static Type ObjectIsNonCallable(Type, Typer*); @@ -591,6 +592,12 @@ Type Typer::Visitor::ObjectIsMinusZero(Type type, Typer* t) { return Type::Boolean(); } +Type Typer::Visitor::NumberIsMinusZero(Type type, Typer* t) { + if (type.Is(Type::MinusZero())) return t->singleton_true_; + if (!type.Maybe(Type::MinusZero())) return t->singleton_false_; + return Type::Boolean(); +} + Type Typer::Visitor::ObjectIsNaN(Type type, Typer* t) { if (type.Is(Type::NaN())) return t->singleton_true_; if (!type.Maybe(Type::NaN())) return t->singleton_false_; @@ -2083,6 +2090,10 @@ Type Typer::Visitor::TypeObjectIsMinusZero(Node* node) { return TypeUnaryOp(node, ObjectIsMinusZero); } +Type Typer::Visitor::TypeNumberIsMinusZero(Node* node) { + return TypeUnaryOp(node, NumberIsMinusZero); +} + Type Typer::Visitor::TypeNumberIsFloat64Hole(Node* node) { return Type::Boolean(); } diff --git a/deps/v8/src/compiler/verifier.cc b/deps/v8/src/compiler/verifier.cc index 7aaab7963d6472..5e30645bcbedd7 100644 --- a/deps/v8/src/compiler/verifier.cc +++ b/deps/v8/src/compiler/verifier.cc @@ -1180,6 +1180,7 @@ void Verifier::Visitor::Check(Node* node, const AllNodes& all) { CheckValueInputIs(node, 0, Type::Number()); CheckTypeIs(node, Type::Boolean()); break; + case IrOpcode::kNumberIsMinusZero: case IrOpcode::kNumberIsNaN: CheckValueInputIs(node, 0, Type::Number()); CheckTypeIs(node, Type::Boolean()); diff --git a/deps/v8/test/mjsunit/regress/regress-crbug-903043.js b/deps/v8/test/mjsunit/regress/regress-crbug-903043.js new file mode 100644 index 00000000000000..a877e6e12ab7ed --- /dev/null +++ b/deps/v8/test/mjsunit/regress/regress-crbug-903043.js @@ -0,0 +1,39 @@ +// Copyright 2018 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --allow-natives-syntax + +(function() { + function foo() { + const x = 1e-1; + return Object.is(-0, x * (-1e-308)); + } + + assertFalse(foo()); + assertFalse(foo()); + %OptimizeFunctionOnNextCall(foo); + assertFalse(foo()); +})(); + +(function() { + function foo(x) { + return Object.is(-0, x * (-1e-308)); + } + + assertFalse(foo(1e-1)); + assertFalse(foo(1e-1)); + %OptimizeFunctionOnNextCall(foo); + assertFalse(foo(1e-1)); +})(); + +(function() { + function foo(x) { + return Object.is(-0, x); + } + + assertFalse(foo(1e-1 * (-1e-308))); + assertFalse(foo(1e-1 * (-1e-308))); + %OptimizeFunctionOnNextCall(foo); + assertFalse(foo(1e-1 * (-1e-308))); +})();