typeOfDoubleSum is wrong for when NaN can be produced
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 05:41:21 +0000 (05:41 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Mar 2019 05:41:21 +0000 (05:41 +0000)
commit2393370eb41b9b3d0af2dcd9c8c9c24e659d57b7
tree7db7c0ed1fb943877deeb06b1a5c2571eca3dde1
parentacfee80d3a84cb4a348690c839653ce7dbda2820
typeOfDoubleSum is wrong for when NaN can be produced
https://bugs.webkit.org/show_bug.cgi?id=196030

Reviewed by Filip Pizlo.

JSTests:

* stress/double-add-sub-mul-can-produce-nan.js: Added.
(assert):
(noInline.sub):
(noInline):
(assert.mul):
(assert.add):

Source/JavaScriptCore:

We were using typeOfDoubleSum(SpeculatedType, SpeculatedType) for add/sub/mul.
It assumed that the only way the resulting type could be NaN is if one of
the inputs were NaN. However, this is wrong. NaN can be produced in at least
these cases:
  Infinity - Infinity
  Infinity + (-Infinity)
  Infinity * 0

* bytecode/SpeculatedType.cpp:
(JSC::typeOfDoubleSumOrDifferenceOrProduct):
(JSC::typeOfDoubleSum):
(JSC::typeOfDoubleDifference):
(JSC::typeOfDoubleProduct):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@243277 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/double-add-sub-mul-can-produce-nan.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/SpeculatedType.cpp