From 31813c7de6a2252bfdf37049c43a65fee7d355f3 Mon Sep 17 00:00:00 2001 From: Georg Neis Date: Tue, 27 Apr 2021 08:53:03 +0200 Subject: [PATCH] [compiler] Fix a monotonicity issue in SimplifiedLowering Bug: chromium:1202924 Change-Id: I555fc44c52a3883010e1c643a41d470fcc683a6a Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2851880 Auto-Submit: Georg Neis Commit-Queue: Nico Hartmann Reviewed-by: Nico Hartmann Cr-Commit-Position: refs/heads/master@{#74201} --- src/compiler/simplified-lowering.cc | 2 +- test/mjsunit/compiler/regress-1202924.js | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 test/mjsunit/compiler/regress-1202924.js diff --git a/src/compiler/simplified-lowering.cc b/src/compiler/simplified-lowering.cc index 495be60af8..b67e2545c7 100644 --- a/src/compiler/simplified-lowering.cc +++ b/src/compiler/simplified-lowering.cc @@ -218,7 +218,7 @@ bool CanOverflowSigned32(const Operator* op, Type left, Type right, } bool IsSomePositiveOrderedNumber(Type type) { - return type.Is(Type::OrderedNumber()) && !type.IsNone() && type.Min() > 0; + return type.Is(Type::OrderedNumber()) && (type.IsNone() || type.Min() > 0); } } // namespace diff --git a/test/mjsunit/compiler/regress-1202924.js b/test/mjsunit/compiler/regress-1202924.js new file mode 100644 index 0000000000..a8b8970ee2 --- /dev/null +++ b/test/mjsunit/compiler/regress-1202924.js @@ -0,0 +1,18 @@ +// Copyright 2021 the V8 project authors. All rights reserved. +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +// Flags: --no-lazy-feedback-allocation --interrupt-budget=1000 +// Flags: --no-analyze-environment-liveness + +function foo() { + for (var i = 1; i < 10; i++) { + var n = 1; + for (var j = 1; j < 10; j++) { + if (n == j) j = 0; + foo = j % - n; + n++; + } + } +} +foo();