Skip to site navigation (Press enter)

[webkit-changes] [236174] releases/WebKitGTK/webkit-2.22

carlosgc Wed, 19 Sep 2018 05:34:51 -0700

Title: [236174] releases/WebKitGTK/webkit-2.22

Revision: 236174
Author: carlo...@webkit.org
Date: 2018-09-19 05:33:52 -0700 (Wed, 19 Sep 2018)

Log Message

Merge r235765 - Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
https://bugs.webkit.org/show_bug.cgi?id=189380


Reviewed by Saam Barati.

JSTests:

New test.

* stress/math-pow-nan-to-zero-spec-type.js: Added.
(func):
(test):

Source/_javascript_Core:

Account for the case where in Math.pow(NaN, y) where y could be 0.

* bytecode/SpeculatedType.cpp:
(JSC::typeOfDoublePow):

Modified Paths

releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/bytecode/SpeculatedType.cpp

Added Paths

releases/WebKitGTK/webkit-2.22/JSTests/stress/math-pow-nan-to-zero-spec-type.js

Diff

Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (236173 => 236174)


--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-09-19 12:33:47 UTC (rev 236173)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-09-19 12:33:52 UTC (rev 236174)
@@ -1,3 +1,16 @@
+2018-09-06  Michael Saboff  <msab...@apple.com>
+
+        Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
+        https://bugs.webkit.org/show_bug.cgi?id=189380
+
+        Reviewed by Saam Barati.
+
+        New test.
+
+        * stress/math-pow-nan-to-zero-spec-type.js: Added.
+        (func):
+        (test):
+
 2018-09-05  Mark Lam  <mark....@apple.com>
 
         JSPropertyNameEnumerator::visitChildren() needs to visit its m_cachedStructureID.

Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/math-pow-nan-to-zero-spec-type.js (0 => 236174)


--- releases/WebKitGTK/webkit-2.22/JSTests/stress/math-pow-nan-to-zero-spec-type.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/math-pow-nan-to-zero-spec-type.js	2018-09-19 12:33:52 UTC (rev 236174)
@@ -0,0 +1,21 @@
+// Verify that we have the correct speculation checks for Math.pow(NaN, 0).
+
+function func(x) {
+    return fiatInt52(Math.pow(NaN, (x > 1)));
+};
+
+noInline(func);
+
+function test(f)
+{
+    for (let i = 0; i < 10000; ++i) {
+        if (f(0) != 1)
+            throw "Wrong expected value";
+
+        if (f(1) != 1)
+            throw "Wrong expected value";
+    }
+}
+
+test(func);
+

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (236173 => 236174)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-09-19 12:33:47 UTC (rev 236173)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-09-19 12:33:52 UTC (rev 236174)
@@ -1,3 +1,15 @@
+2018-09-06  Michael Saboff  <msab...@apple.com>
+
+        Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
+        https://bugs.webkit.org/show_bug.cgi?id=189380
+
+        Reviewed by Saam Barati.
+
+        Account for the case where in Math.pow(NaN, y) where y could be 0.
+
+        * bytecode/SpeculatedType.cpp:
+        (JSC::typeOfDoublePow):
+
 2018-09-06  Mark Lam  <mark....@apple.com>
 
         Gardening: only visit m_cachedStructureID if it's not null.

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/bytecode/SpeculatedType.cpp (236173 => 236174)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/bytecode/SpeculatedType.cpp	2018-09-19 12:33:47 UTC (rev 236173)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/bytecode/SpeculatedType.cpp	2018-09-19 12:33:52 UTC (rev 236174)
@@ -697,6 +697,9 @@
     // We always set a pure NaN in that case.
     if (yValue & SpecDoubleNaN)
         xValue |= SpecDoublePureNaN;
+    // Handle the wierd case of NaN ^ 0, which returns 1. See https://tc39.github.io/ecma262/#sec-applying-the-exp-operator
+    if (xValue & SpecDoubleNaN)
+        xValue |= SpecFullDouble;
     return polluteDouble(xValue);
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes