From fd29e246f65a7cee130e72cd10f618f3b82af232 Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Mon, 12 Apr 2021 12:53:24 +0200
Subject: [PATCH] [compiler] Fix bug in
 RepresentationChanger::GetWord32RepresentationFor

We have to respect the TypeCheckKind.

Bug: chromium:1195777
Change-Id: If1eed719fef79b7c61d99c29ba869ddd7985c413
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2817791
Commit-Queue: Georg Neis <neis@chromium.org>
Reviewed-by: Nico Hartmann <nicohartmann@chromium.org>
Cr-Commit-Position: refs/heads/master@{#73909}
---
 src/compiler/representation-change.cc    |  8 +--
 test/mjsunit/compiler/regress-1195777.js | 62 ++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 4 deletions(-)
 create mode 100644 test/mjsunit/compiler/regress-1195777.js

diff --git a/src/compiler/representation-change.cc b/src/compiler/representation-change.cc
index 64b274cdcc..3d937ada1e 100644
--- a/src/compiler/representation-change.cc
+++ b/src/compiler/representation-change.cc
@@ -949,10 +949,10 @@ Node* RepresentationChanger::GetWord32RepresentationFor(
     return node;
   } else if (output_rep == MachineRepresentation::kWord64) {
     if (output_type.Is(Type::Signed32()) ||
-        output_type.Is(Type::Unsigned32())) {
-      op = machine()->TruncateInt64ToInt32();
-    } else if (output_type.Is(cache_->kSafeInteger) &&
-               use_info.truncation().IsUsedAsWord32()) {
+        (output_type.Is(Type::Unsigned32()) &&
+         use_info.type_check() == TypeCheckKind::kNone) ||
+        (output_type.Is(cache_->kSafeInteger) &&
+         use_info.truncation().IsUsedAsWord32())) {
       op = machine()->TruncateInt64ToInt32();
     } else if (use_info.type_check() == TypeCheckKind::kSignedSmall ||
                use_info.type_check() == TypeCheckKind::kSigned32 ||
diff --git a/test/mjsunit/compiler/regress-1195777.js b/test/mjsunit/compiler/regress-1195777.js
new file mode 100644
index 0000000000..b122f4f016
--- /dev/null
+++ b/test/mjsunit/compiler/regress-1195777.js
@@ -0,0 +1,62 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax
+
+
+(function() {
+  function foo(b) {
+    let y = (new Date(42)).getMilliseconds();
+    let x = -1;
+    if (b) x = 0xFFFF_FFFF;
+    return y < Math.max(1 << y, x, 1 + y);
+  }
+  assertTrue(foo(true));
+  %PrepareFunctionForOptimization(foo);
+  assertTrue(foo(false));
+  %OptimizeFunctionOnNextCall(foo);
+  assertTrue(foo(true));
+})();
+
+
+(function() {
+  function foo(b) {
+    let x = 0;
+    if (b) x = -1;
+    return x == Math.max(-1, x >>> Infinity);
+  }
+  assertFalse(foo(true));
+  %PrepareFunctionForOptimization(foo);
+  assertTrue(foo(false));
+  %OptimizeFunctionOnNextCall(foo);
+  assertFalse(foo(true));
+})();
+
+
+(function() {
+  function foo(b) {
+    let x = -1;
+    if (b) x = 0xFFFF_FFFF;
+    return -1 < Math.max(0, x, -1);
+  }
+  assertTrue(foo(true));
+  %PrepareFunctionForOptimization(foo);
+  assertTrue(foo(false));
+  %OptimizeFunctionOnNextCall(foo);
+  assertTrue(foo(true));
+})();
+
+
+(function() {
+  function foo(b) {
+    let x = 0x7FFF_FFFF;
+    if (b) x = 0;
+    return 0 < (Math.max(-5 >>> x, -5) % -5);
+  }
+  assertTrue(foo(true));
+  %PrepareFunctionForOptimization(foo);
+  assertTrue(foo(false));
+  %OptimizeFunctionOnNextCall(foo);
+  assertTrue(foo(true));
+})();