Title: [281933] trunk/Source/_javascript_Core
- Revision
- 281933
- Author
- commit-qu...@webkit.org
- Date
- 2021-09-02 10:20:42 -0700 (Thu, 02 Sep 2021)
Log Message
Fix IndexedDoubleStore InlineAccess for 32 bits
https://bugs.webkit.org/show_bug.cgi?id=229772
Patch by Mikhail R. Gadelha <mikh...@igalia.com> on 2021-09-02
Reviewed by Caio Araujo Neponoceno de Lima.
In IndexedDoubleStore inline access, the path if the value is NaN
is only being handled in 64 bits, thus introducing some wrong
results in 32 bits. This patch fixes:
stress/double-add-sub-mul-can-produce-nan.js
stress/pow-stable-results.js
stress/math-pow-stable-results.js
* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (281932 => 281933)
--- trunk/Source/_javascript_Core/ChangeLog 2021-09-02 16:42:55 UTC (rev 281932)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-09-02 17:20:42 UTC (rev 281933)
@@ -1,3 +1,21 @@
+2021-09-02 Mikhail R. Gadelha <mikh...@igalia.com>
+
+ Fix IndexedDoubleStore InlineAccess for 32 bits
+ https://bugs.webkit.org/show_bug.cgi?id=229772
+
+ Reviewed by Caio Araujo Neponoceno de Lima.
+
+ In IndexedDoubleStore inline access, the path if the value is NaN
+ is only being handled in 64 bits, thus introducing some wrong
+ results in 32 bits. This patch fixes:
+
+ stress/double-add-sub-mul-can-produce-nan.js
+ stress/pow-stable-results.js
+ stress/math-pow-stable-results.js
+
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::generateWithGuard):
+
2021-09-02 Ross Kirsling <ross.kirsl...@sony.com>
[JSC] Fix invalid exception checks in Temporal classes
Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (281932 => 281933)
--- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-09-02 16:42:55 UTC (rev 281932)
+++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2021-09-02 17:20:42 UTC (rev 281933)
@@ -1484,11 +1484,10 @@
notInt.link(&jit);
#if USE(JSVALUE64)
jit.unboxDoubleWithoutAssertions(valueRegs.payloadGPR(), scratch2GPR, state.scratchFPR);
- failAndRepatch.append(jit.branchIfNaN(state.scratchFPR));
#else
- failAndRepatch.append(jit.branch32(CCallHelpers::Above, valueRegs.tagGPR(), CCallHelpers::TrustedImm32(JSValue::LowestTag)));
jit.unboxDouble(valueRegs, state.scratchFPR);
#endif
+ failAndRepatch.append(jit.branchIfNaN(state.scratchFPR));
ready.link(&jit);
jit.zeroExtend32ToWord(propertyGPR, scratch2GPR);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes