From 4a01d3a410354bc8fe2e6ef03d32cbe39a770204 Mon Sep 17 00:00:00 2001
From: Georg Neis <neis@chromium.org>
Date: Wed, 15 Jan 2020 11:31:10 +0100
Subject: [Backport] Security bug 1031909
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/2002388:
Merged: Squashed multiple commits.

Merged: [turbofan] fix type widening bug in RedundancyElimination
Revision: 3f7e99ac460c3ca689aac76c39fbdf1852c9a7be

Merged: [turbofan] fix type widening bug in RedundancyElimination, completely
Revision: 69b195c935b28857ee8e85c22af14837a0ce2c62

BUG=chromium:1031909

Change-Id: I471c05fa3d5e83bb5a8eb1ca23d92a9a142ed60a
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 chromium/v8/src/compiler/redundancy-elimination.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chromium/v8/src/compiler/redundancy-elimination.cc b/chromium/v8/src/compiler/redundancy-elimination.cc
index 9b401bcf43f..860cbbb1aca 100644
--- a/chromium/v8/src/compiler/redundancy-elimination.cc
+++ b/chromium/v8/src/compiler/redundancy-elimination.cc
@@ -234,7 +234,7 @@ Node* RedundancyElimination::EffectPathChecks::LookupBoundsCheckFor(
     Node* node) const {
   for (Check const* check = head_; check != nullptr; check = check->next) {
     if (check->node->opcode() == IrOpcode::kCheckBounds &&
-        check->node->InputAt(0) == node) {
+        check->node->InputAt(0) == node && TypeSubsumes(node, check->node)) {
       return check->node;
     }
   }
-- 
cgit v1.2.1