From dc61e09feb438d3cf4cb09eab3a1d8cf63cd047a Mon Sep 17 00:00:00 2001
From: Ben Noordhuis <info@bnoordhuis.nl>
Date: Sat, 1 Feb 2020 13:47:56 +0100
Subject: [PATCH] v8: fix load elimination liveness checks

This commit back-ports the implementations of IsRename() and MayAlias()
from the upstream 8.0 branch wholesale. Fixes several bugs where V8's
load elimination pass considered values to be alive when they weren't.

Fixes: https://github.com/nodejs/node/issues/31484

PR-URL: https://github.com/nodejs/node/pull/31613
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
---
 deps/v8/src/compiler/load-elimination.cc      | 33 ++++++-------------
 .../v8/test/mjsunit/regress/regress-906406.js |  7 ++++
 2 files changed, 17 insertions(+), 23 deletions(-)
 create mode 100644 deps/v8/test/mjsunit/regress/regress-906406.js

diff --git a/deps/v8/src/compiler/load-elimination.cc b/deps/v8/src/compiler/load-elimination.cc
index 53d5d794d9a978..703bcdd5688028 100644
--- a/deps/v8/src/compiler/load-elimination.cc
+++ b/deps/v8/src/compiler/load-elimination.cc
@@ -21,7 +21,7 @@ bool IsRename(Node* node) {
   switch (node->opcode()) {
     case IrOpcode::kFinishRegion:
     case IrOpcode::kTypeGuard:
-      return true;
+      return !node->IsDead();
     default:
       return false;
   }
@@ -35,12 +35,14 @@ Node* ResolveRenames(Node* node) {
 }
 
 bool MayAlias(Node* a, Node* b) {
-  if (a == b) return true;
-  if (!NodeProperties::GetType(a).Maybe(NodeProperties::GetType(b))) {
-    return false;
-  }
-  switch (b->opcode()) {
-    case IrOpcode::kAllocate: {
+  if (a != b) {
+    if (!NodeProperties::GetType(a).Maybe(NodeProperties::GetType(b))) {
+      return false;
+    } else if (IsRename(b)) {
+      return MayAlias(a, b->InputAt(0));
+    } else if (IsRename(a)) {
+      return MayAlias(a->InputAt(0), b);
+    } else if (b->opcode() == IrOpcode::kAllocate) {
       switch (a->opcode()) {
         case IrOpcode::kAllocate:
         case IrOpcode::kHeapConstant:
@@ -49,16 +51,7 @@ bool MayAlias(Node* a, Node* b) {
         default:
           break;
       }
-      break;
-    }
-    case IrOpcode::kFinishRegion:
-    case IrOpcode::kTypeGuard:
-      return MayAlias(a, b->InputAt(0));
-    default:
-      break;
-  }
-  switch (a->opcode()) {
-    case IrOpcode::kAllocate: {
+    } else if (a->opcode() == IrOpcode::kAllocate) {
       switch (b->opcode()) {
         case IrOpcode::kHeapConstant:
         case IrOpcode::kParameter:
@@ -66,13 +59,7 @@ bool MayAlias(Node* a, Node* b) {
         default:
           break;
       }
-      break;
     }
-    case IrOpcode::kFinishRegion:
-    case IrOpcode::kTypeGuard:
-      return MayAlias(a->InputAt(0), b);
-    default:
-      break;
   }
   return true;
 }
diff --git a/deps/v8/test/mjsunit/regress/regress-906406.js b/deps/v8/test/mjsunit/regress/regress-906406.js
new file mode 100644
index 00000000000000..eb79ff0a0ce368
--- /dev/null
+++ b/deps/v8/test/mjsunit/regress/regress-906406.js
@@ -0,0 +1,7 @@
+// Copyright 2018 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+for (x = 0; x < 10000; ++x) {
+    [(x) => x, [, 4294967295].find((x) => x), , 2].includes('x', -0);
+}