Title: [260517] trunk
- Revision
- 260517
- Author
- sbar...@apple.com
- Date
- 2020-04-22 09:34:47 -0700 (Wed, 22 Apr 2020)
Log Message
ValueBitNot is wrong in FTL with AnyBigIntUse
https://bugs.webkit.org/show_bug.cgi?id=210846
Reviewed by Yusuke Suzuki.
JSTests:
* stress/big-int-value-bit-not-spec-any-big-int.js: Added.
(assert):
(foo):
Source/_javascript_Core:
We forgot to speculate.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (260516 => 260517)
--- trunk/JSTests/ChangeLog 2020-04-22 16:31:32 UTC (rev 260516)
+++ trunk/JSTests/ChangeLog 2020-04-22 16:34:47 UTC (rev 260517)
@@ -1,3 +1,14 @@
+2020-04-22 Saam Barati <sbar...@apple.com>
+
+ ValueBitNot is wrong in FTL with AnyBigIntUse
+ https://bugs.webkit.org/show_bug.cgi?id=210846
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/big-int-value-bit-not-spec-any-big-int.js: Added.
+ (assert):
+ (foo):
+
2020-04-22 Yusuke Suzuki <ysuz...@apple.com>
[JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results
Added: trunk/JSTests/stress/big-int-value-bit-not-spec-any-big-int.js (0 => 260517)
--- trunk/JSTests/stress/big-int-value-bit-not-spec-any-big-int.js (rev 0)
+++ trunk/JSTests/stress/big-int-value-bit-not-spec-any-big-int.js 2020-04-22 16:34:47 UTC (rev 260517)
@@ -0,0 +1,16 @@
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+function foo(x) {
+ return ~x;
+}
+noInline(foo);
+
+for (let i = 0; i < 1000000; ++i) {
+ let x = 1n;
+ assert(foo(x) === (0n - x) - 1n);
+
+ x = 10101010101010101010101010101010101010101010101010n;
+ assert(foo(x) === (0n - x) - 1n);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (260516 => 260517)
--- trunk/Source/_javascript_Core/ChangeLog 2020-04-22 16:31:32 UTC (rev 260516)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-04-22 16:34:47 UTC (rev 260517)
@@ -1,3 +1,15 @@
+2020-04-22 Saam Barati <sbar...@apple.com>
+
+ ValueBitNot is wrong in FTL with AnyBigIntUse
+ https://bugs.webkit.org/show_bug.cgi?id=210846
+
+ Reviewed by Yusuke Suzuki.
+
+ We forgot to speculate.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileValueBitNot):
+
2020-04-22 Yusuke Suzuki <ysuz...@apple.com>
[JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (260516 => 260517)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-04-22 16:31:32 UTC (rev 260516)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-04-22 16:34:47 UTC (rev 260517)
@@ -3301,7 +3301,9 @@
return;
}
- LValue operand = lowJSValue(m_node->child1());
+ DFG_ASSERT(m_graph, m_node, m_node->child1().useKind() == UntypedUse || m_node->child1().useKind() == AnyBigIntUse);
+ LValue operand = lowJSValue(m_node->child1(), ManualOperandSpeculation);
+ speculate(m_node, m_node->child1());
LValue result = vmCall(Int64, operationValueBitNot, weakPointer(globalObject), operand);
setJSValue(result);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
