DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for...
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 27 Jan 2018 18:14:06 +0000 (18:14 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 27 Jan 2018 18:14:06 +0000 (18:14 +0000)
commit8a81c956215a239a9f79a7167171dca07ade9fe7
tree4b05a694bc05b8b43a1446eaaf218951fd294271
parentdb144e6600967fa87e26d1f1edc606e85cdafeea
DFG strength reduction fails to convert NumberToStringWithValidRadixConstant for 0 to constant '0'
https://bugs.webkit.org/show_bug.cgi?id=182213

Reviewed by Mark Lam.

JSTests:

* stress/int32-min-to-string.js: Added.
(shouldBe):
(test2):
(test4):
(test8):
(test16):
(test32):
* stress/zero-to-string.js: Added.
(shouldBe):
(test2):
(test4):
(test8):
(test16):
(test32):

Source/JavaScriptCore:

toStringWithRadixInternal is originally used for the slow path if the given value is larger than radix or negative.
As a result, it does not accept 0 correctly, and produces an empty string. Since DFGStrengthReductionPhase uses
this function, it accidentally converts NumberToStringWithValidRadixConstant(0, radix) to an empty string.
This patch fixes toStringWithRadixInternal to accept 0. This change fixes twitch.tv's issue.

We also add a careful cast to avoid `-INT32_MIN`. It does not produce incorrect value in x86 in practice,
but it is UB, and a compiler may assume that the given value is never INT32_MIN and could do an incorrect optimization.

* runtime/NumberPrototype.cpp:
(JSC::toStringWithRadixInternal):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@227716 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/int32-min-to-string.js [new file with mode: 0644]
JSTests/stress/zero-to-string.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/runtime/NumberPrototype.cpp