From d83f023e2cf2505b75d65497a51b21ef998bc58a Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Thu, 2 May 2019 15:12:43 +0200
Subject: [PATCH] [turbofan] Fix monotonicity of ComparisonOutcome-related
 typings

Bug: chromium:958021
Change-Id: I6cc6ff2666750b508786db010e202b1e8e1e9536
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1593293
Reviewed-by: Jaroslav Sevcik <jarin@chromium.org>
Commit-Queue: Georg Neis <neis@chromium.org>
Cr-Commit-Position: refs/heads/master@{#61171}
---
 src/compiler/typer.cc                   | 12 +++++++-----
 test/mjsunit/compiler/regress-958021.js | 22 ++++++++++++++++++++++
 2 files changed, 29 insertions(+), 5 deletions(-)
 create mode 100644 test/mjsunit/compiler/regress-958021.js

diff --git a/src/compiler/typer.cc b/src/compiler/typer.cc
index c2574b5dfb..134dfad83a 100644
--- a/src/compiler/typer.cc
+++ b/src/compiler/typer.cc
@@ -486,12 +486,12 @@ Typer::Visitor::ComparisonOutcome Typer::Visitor::Invert(
 }
 
 Type Typer::Visitor::FalsifyUndefined(ComparisonOutcome outcome, Typer* t) {
+  if (outcome == 0) return Type::None();
   if ((outcome & kComparisonFalse) != 0 ||
       (outcome & kComparisonUndefined) != 0) {
     return (outcome & kComparisonTrue) != 0 ? Type::Boolean()
                                             : t->singleton_false_;
   }
-  // Type should be non empty, so we know it should be true.
   DCHECK_NE(0, outcome & kComparisonTrue);
   return t->singleton_true_;
 }
@@ -1025,6 +1025,8 @@ Type Typer::Visitor::JSStrictEqualTyper(Type lhs, Type rhs, Typer* t) {
 Typer::Visitor::ComparisonOutcome Typer::Visitor::JSCompareTyper(Type lhs,
                                                                  Type rhs,
                                                                  Typer* t) {
+  if (lhs.IsNone() || rhs.IsNone()) return {};
+
   lhs = ToPrimitive(lhs, t);
   rhs = ToPrimitive(rhs, t);
   if (lhs.Maybe(Type::String()) && rhs.Maybe(Type::String())) {
@@ -1047,6 +1049,8 @@ Typer::Visitor::ComparisonOutcome Typer::Visitor::NumberCompareTyper(Type lhs,
   DCHECK(lhs.Is(Type::Number()));
   DCHECK(rhs.Is(Type::Number()));
 
+  if (lhs.IsNone() || rhs.IsNone()) return {};
+
   // Shortcut for NaNs.
   if (lhs.Is(Type::NaN()) || rhs.Is(Type::NaN())) return kComparisonUndefined;
 
@@ -1059,11 +1063,9 @@ Typer::Visitor::ComparisonOutcome Typer::Visitor::NumberCompareTyper(Type lhs,
   } else if (lhs.Max() < rhs.Min()) {
     result = kComparisonTrue;
   } else {
-    // We cannot figure out the result, return both true and false. (We do not
-    // have to return undefined because that cannot affect the result of
-    // FalsifyUndefined.)
     return ComparisonOutcome(kComparisonTrue) |
-           ComparisonOutcome(kComparisonFalse);
+           ComparisonOutcome(kComparisonFalse) |
+           ComparisonOutcome(kComparisonUndefined);
   }
   // Add the undefined if we could see NaN.
   if (lhs.Maybe(Type::NaN()) || rhs.Maybe(Type::NaN())) {
diff --git a/test/mjsunit/compiler/regress-958021.js b/test/mjsunit/compiler/regress-958021.js
new file mode 100644
index 0000000000..252ea84365
--- /dev/null
+++ b/test/mjsunit/compiler/regress-958021.js
@@ -0,0 +1,22 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+function v0() {
+  let v7 = -4294967295;
+  try {
+    for (let v11 = 0; v11 < 8; v11++) {
+      const v13 = Symbol.isConcatSpreadable;
+      const v14 = v11 && v13;
+      const v15 = v7 <= v14;
+      for (var i = 0; i < 10; i++) {}
+    }
+  } catch(v20) {}
+}
+
+v0();
+v0();
+%OptimizeFunctionOnNextCall(v0);
+v0();