normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
authorysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 29 Apr 2019 22:25:03 +0000 (22:25 +0000)
committerysuzuki@apple.com <ysuzuki@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 29 Apr 2019 22:25:03 +0000 (22:25 +0000)
commit03ee0c556b2281c0ec5c07a4c0d92716841b98e2
tree9aab9970f5258b3b5a4b7ac7835110e9ad0af77b
parentdc0db13604c7b8e40654474db2066764abd53f22
normalizeMapKey should normalize NaN to one PureNaN bit pattern to make MapHash same
https://bugs.webkit.org/show_bug.cgi?id=197362

Reviewed by Saam Barati.

JSTests:

* stress/map-with-nan.js: Added.
(shouldBe):
(div):
(NaN1):
(NaN2):
(NaN3):
(NaN4):
(NaN1NoInline):
(NaN2NoInline):
(NaN3NoInline):
(NaN4NoInline):
(test1):
(test2):
(test3):
(test4):
* stress/set-with-nan.js: Added.
(shouldBe):
(div):
(NaN1):
(NaN2):
(NaN3):
(NaN4):
(NaN1NoInline):
(NaN2NoInline):
(NaN3NoInline):
(NaN4NoInline):
(test2):
(test4):

Source/JavaScriptCore:

Our Map/Set's hash algorithm relies on the bit pattern of JSValue. So our Map/Set has
normalization of the key, which normalizes Int32 / Double etc. But we did not normalize
pure NaNs into one canonicalized pure NaN. So we end up having multiple different pure NaNs
in one Map/Set. This patch normalizes NaN into one jsNaN(), which uses PNaN for the representation.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
* runtime/HashMapImpl.h:
(JSC::normalizeMapKey):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@244760 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/map-with-nan.js [new file with mode: 0644]
JSTests/stress/set-with-nan.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Source/JavaScriptCore/runtime/HashMapImpl.h