DFG performs incorrect constant folding on double-to-uint32 conversion in
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 14 May 2012 06:47:24 +0000 (06:47 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 14 May 2012 06:47:24 +0000 (06:47 +0000)
commit2d0221c7ba4f16ed6d987c5ee42f5c44b5afaf63
tree7db61e5038532b0e22395f9f18c8cc1a7c08ffae
parent23c03b68d661c698c7ee6648d0940eee33fbebca
DFG performs incorrect constant folding on double-to-uint32 conversion in
Uint32Array PutByVal
https://bugs.webkit.org/show_bug.cgi?id=86330

Source/JavaScriptCore:

Reviewed by Darin Adler.

static_cast<int>(d) is wrong, since JS semantics require us to use toInt32(d).
In particular, C++ casts on typical hardware (like x86 and similar) will
return 0x80000000 for double values that are out of range of the int32 domain
(i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call
for wrap-around; for example the double value 4294967297 ought to become the
int32 value 1, not 0x80000000.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

LayoutTests:

Rubber stamped by Darin Adler.

* fast/js/dfg-uint32array-overflow-constant-expected.txt: Added.
* fast/js/dfg-uint32array-overflow-constant.html: Added.
* fast/js/script-tests/dfg-uint32array-overflow-constant.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@116925 268f45cc-cd09-0410-ab3c-d52691b4dbfc
LayoutTests/ChangeLog
LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-uint32array-overflow-constant.html [new file with mode: 0644]
LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp