Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Sep 2018 23:44:49 +0000 (23:44 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 6 Sep 2018 23:44:49 +0000 (23:44 +0000)
https://bugs.webkit.org/show_bug.cgi?id=189380

Reviewed by Saam Barati.

JSTests:

New test.

* stress/math-pow-nan-to-zero-spec-type.js: Added.
(func):
(test):

Source/JavaScriptCore:

Account for the case where in Math.pow(NaN, y) where y could be 0.

* bytecode/SpeculatedType.cpp:
(JSC::typeOfDoublePow):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235765 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/math-pow-nan-to-zero-spec-type.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/SpeculatedType.cpp

index 92ecacb..4f4bdaa 100644 (file)
@@ -1,3 +1,16 @@
+2018-09-06  Michael Saboff  <msaboff@apple.com>
+
+        Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
+        https://bugs.webkit.org/show_bug.cgi?id=189380
+
+        Reviewed by Saam Barati.
+
+        New test.
+
+        * stress/math-pow-nan-to-zero-spec-type.js: Added.
+        (func):
+        (test):
+
 2018-09-06  Mark Lam  <mark.lam@apple.com>
 
         Gardening: Move regress-189185.js under JSTests/wasm.
diff --git a/JSTests/stress/math-pow-nan-to-zero-spec-type.js b/JSTests/stress/math-pow-nan-to-zero-spec-type.js
new file mode 100644 (file)
index 0000000..24553a5
--- /dev/null
@@ -0,0 +1,21 @@
+// Verify that we have the correct speculation checks for Math.pow(NaN, 0).
+
+function func(x) {
+    return fiatInt52(Math.pow(NaN, (x > 1)));
+};
+
+noInline(func);
+
+function test(f)
+{
+    for (let i = 0; i < 10000; ++i) {
+        if (f(0) != 1)
+            throw "Wrong expected value";
+
+        if (f(1) != 1)
+            throw "Wrong expected value";
+    }
+}
+
+test(func);
+
index a7c30e5..829c8d2 100644 (file)
@@ -1,3 +1,15 @@
+2018-09-06  Michael Saboff  <msaboff@apple.com>
+
+        Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
+        https://bugs.webkit.org/show_bug.cgi?id=189380
+
+        Reviewed by Saam Barati.
+
+        Account for the case where in Math.pow(NaN, y) where y could be 0.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::typeOfDoublePow):
+
 2018-09-06  Mark Lam  <mark.lam@apple.com>
 
         Gardening: only visit m_cachedStructureID if it's not null.
index a888b3b..66b07db 100644 (file)
@@ -697,6 +697,9 @@ SpeculatedType typeOfDoublePow(SpeculatedType xValue, SpeculatedType yValue)
     // We always set a pure NaN in that case.
     if (yValue & SpecDoubleNaN)
         xValue |= SpecDoublePureNaN;
+    // Handle the wierd case of NaN ^ 0, which returns 1. See https://tc39.github.io/ecma262/#sec-applying-the-exp-operator
+    if (xValue & SpecDoubleNaN)
+        xValue |= SpecFullDouble;
     return polluteDouble(xValue);
 }