Victor Gomes (Gerrit)

unread,

4:50 AM (4 hours ago) 4:50 AM

to Marja Hölttä, dmercadi...@chromium.org, leszek...@chromium.org, v8-re...@googlegroups.com, verwaes...@chromium.org, victorgo...@chromium.org

Attention needed from Marja Hölttä

Victor Gomes voted and added 1 comment

Votes added by Victor Gomes

Auto-Submit	+1
Commit-Queue	+1

1 comment

Patchset-level comments

File-level comment, Patchset 2 (Latest):

Victor Gomes . resolved

PTAL!

Open in Gerrit

Related details

Attention is currently required from:

Marja Hölttä

Submit Requirements:

Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Marja Hölttä (Gerrit)

unread,

4:58 AM (4 hours ago) 4:58 AM

to Victor Gomes, V8 LUCI CQ, dmercadi...@chromium.org, leszek...@chromium.org, v8-re...@googlegroups.com, verwaes...@chromium.org, victorgo...@chromium.org

Attention needed from Victor Gomes

Marja Hölttä voted

Code-Review	+1
Commit-Queue	+2

Open in Gerrit

Related details

Attention is currently required from:

Victor Gomes

Submit Requirements:

Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

open

diffy

V8 LUCI CQ (Gerrit)

unread,

5:27 AM (4 hours ago) 5:27 AM

to Victor Gomes, Marja Hölttä, dmercadi...@chromium.org, leszek...@chromium.org, v8-re...@googlegroups.com, verwaes...@chromium.org, victorgo...@chromium.org

V8 LUCI CQ submitted the change

Change information

Commit message:

[turbolev] Fix crash in Float64SpeculateSafeAdd truncation

`ProcessFloat64SpeculateSafeAdd` previously allowed speculation if at
least one input was a safe integer or a Phi node. This logic was too
permissive, as it allowed the other input to be an unsafe
`Float64Constant` (such as `NaN`).

When `TruncationProcessor::GetSpeculatedTruncatedInt32Input`
subsequently processed this unsafe constant, it triggered a
`DCHECK(input->GetStaticRange().IsSafeInt())` failure, as `NaN` cannot
be represented as a safe integer.

This CL fixes the issue by explicitly checking for "unsafe constants"
(Float64Constants that are not safe integers) in
`ProcessFloat64SpeculateSafeAdd`. If either input is an unsafe constant,
we bail out of the speculation and overwrite the node with a standard
`Float64Add`.

Fixed: 485535276

Change-Id: Ide3061148b436257d80f3ca7ce7b0e73dc5c9cef

Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7602912

Auto-Submit: Victor Gomes <victo...@chromium.org>

Reviewed-by: Marja Hölttä <ma...@chromium.org>

Commit-Queue: Marja Hölttä <ma...@chromium.org>

Commit-Queue: Victor Gomes <victo...@chromium.org>

Cr-Commit-Position: refs/heads/main@{#105405}

Files:

M src/maglev/maglev-truncation.h
A test/mjsunit/turbolev/regress-485535276.js

Change size: S

Delta: 2 files changed, 34 insertions(+), 1 deletion(-)

Branch: refs/heads/main

Submit Requirements:

Code-Review: +1 by Marja Hölttä

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

open

diffy

satisfied_requirement

Reply all

Reply to author

Forward

[turbolev] Fix crash in Float64SpeculateSafeAdd truncation [v8/v8 : main]

Victor Gomes (Gerrit)

Victor Gomes voted and added 1 comment

Votes added by Victor Gomes

1 comment

Related details

Marja Hölttä (Gerrit)

Marja Hölttä voted

Related details

V8 LUCI CQ (Gerrit)

V8 LUCI CQ submitted the change

Change information