ValueRecovery::recover() should purify NaN values it recovers.
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Jan 2019 22:04:47 +0000 (22:04 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 29 Jan 2019 22:04:47 +0000 (22:04 +0000)
https://bugs.webkit.org/show_bug.cgi?id=193978
<rdar://problem/47625488>

Reviewed by Saam Barati.

JSTests:

* stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.

Source/JavaScriptCore:

According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
recovered DoubleDisplacedInJSStack values need to be purified.
ValueRecovery::recover() should do the same.

* bytecode/ValueRecovery.cpp:
(JSC::ValueRecovery::recover const):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240681 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ValueRecovery.cpp

index 83833b5..4cfcd50 100644 (file)
@@ -1,3 +1,13 @@
+2019-01-29  Mark Lam  <mark.lam@apple.com>
+
+        ValueRecovery::recover() should purify NaN values it recovers.
+        https://bugs.webkit.org/show_bug.cgi?id=193978
+        <rdar://problem/47625488>
+
+        Reviewed by Saam Barati.
+
+        * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
+
 2019-01-28  Yusuke Suzuki  <ysuzuki@apple.com>
 
         Unreviewed, fix the test after r240543 not to use @Error / Error in builtins
diff --git a/JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js b/JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js
new file mode 100644 (file)
index 0000000..bea04b5
--- /dev/null
@@ -0,0 +1,13 @@
+let buffer = new ArrayBuffer(4);
+let int32View = new Int32Array(buffer);
+int32View[0] = -1;
+let floatView = new Float32Array(buffer);
+
+function foo() {
+    let tmp = floatView[0];
+    for (let i = 0; i < 10000; ++i) { }
+    if (tmp) {}
+}
+
+for (let i = 0; i < 100; ++i)
+    foo();
index a9f4332..64dd372 100644 (file)
@@ -1,3 +1,18 @@
+2019-01-29  Mark Lam  <mark.lam@apple.com>
+
+        ValueRecovery::recover() should purify NaN values it recovers.
+        https://bugs.webkit.org/show_bug.cgi?id=193978
+        <rdar://problem/47625488>
+
+        Reviewed by Saam Barati.
+
+        According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
+        recovered DoubleDisplacedInJSStack values need to be purified.
+        ValueRecovery::recover() should do the same.
+
+        * bytecode/ValueRecovery.cpp:
+        (JSC::ValueRecovery::recover const):
+
 2019-01-29  Yusuke Suzuki  <ysuzuki@apple.com>
 
         [JSC] FTL should handle LocalAllocator*
index 9c083b0..4954fe2 100644 (file)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2011, 2013, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -43,7 +43,7 @@ JSValue ValueRecovery::recover(ExecState* exec) const
     case StrictInt52DisplacedInJSStack:
         return jsNumber(exec->r(virtualRegister().offset()).unboxedStrictInt52());
     case DoubleDisplacedInJSStack:
-        return jsNumber(exec->r(virtualRegister().offset()).unboxedDouble());
+        return jsNumber(purifyNaN(exec->r(virtualRegister().offset()).unboxedDouble()));
     case CellDisplacedInJSStack:
         return exec->r(virtualRegister().offset()).unboxedCell();
     case BooleanDisplacedInJSStack: