Title: [294284] trunk/Source/_javascript_Core
- Revision
- 294284
- Author
- sbar...@apple.com
- Date
- 2022-05-16 18:34:39 -0700 (Mon, 16 May 2022)
Log Message
Move around some NaN handling code
https://bugs.webkit.org/show_bug.cgi?id=240493
<rdar://92111504>
Reviewed by Yusuke Suzuki.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueRep):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::purifyNaN):
(JSC::FTL::DFG::LowerDFGToB3::compileValueRep):
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
Canonical link: https://commits.webkit.org/250628@main
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (294283 => 294284)
--- trunk/Source/_javascript_Core/ChangeLog 2022-05-17 01:32:50 UTC (rev 294283)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-05-17 01:34:39 UTC (rev 294284)
@@ -1,3 +1,18 @@
+2022-05-16 Saam Barati <sbar...@apple.com>
+
+ Move around some NaN handling code
+ https://bugs.webkit.org/show_bug.cgi?id=240493
+ <rdar://92111504>
+
+ Reviewed by Yusuke Suzuki.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileValueRep):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::purifyNaN):
+ (JSC::FTL::DFG::LowerDFGToB3::compileValueRep):
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
2022-05-16 Patrick Angle <pan...@apple.com>
Web Inspector: Regression(r266885) Crash sometimes when rehydrating imported audit results
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (294283 => 294284)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-05-17 01:32:50 UTC (rev 294283)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2022-05-17 01:34:39 UTC (rev 294284)
@@ -3484,7 +3484,7 @@
// anymore. Unfortunately, this would be unsound. If it's a GetLocal or if the value was
// subject to a prior SetLocal, filtering the value would imply that the corresponding
// local was purified.
- if (needsTypeCheck(node->child1(), ~SpecDoubleImpureNaN))
+ if (m_state.forNode(node->child1()).couldBeType(SpecDoubleImpureNaN))
m_jit.purifyNaN(valueFPR);
boxDouble(valueFPR, resultRegs);
@@ -4007,6 +4007,7 @@
}
if (format == DataFormatJS) {
+ m_jit.purifyNaN(resultReg);
m_jit.boxDouble(resultReg, resultRegs);
jsValueResult(resultRegs, node);
} else {
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (294283 => 294284)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-17 01:32:50 UTC (rev 294283)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-05-17 01:34:39 UTC (rev 294284)
@@ -1964,6 +1964,11 @@
setInt32(integerValue);
}
+ LValue purifyNaN(LValue value)
+ {
+ return m_out.select(m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
+ }
+
void compileValueRep()
{
switch (m_node->child1().useKind()) {
@@ -1970,10 +1975,8 @@
case DoubleRepUse: {
LValue value = lowDouble(m_node->child1());
- if (m_interpreter.needsTypeCheck(m_node->child1(), ~SpecDoubleImpureNaN)) {
- value = m_out.select(
- m_out.doubleEqual(value, value), value, m_out.constDouble(PNaN));
- }
+ if (abstractValue(m_node->child1()).couldBeType(SpecDoubleImpureNaN))
+ value = purifyNaN(value);
setJSValue(boxDouble(value));
return;
@@ -13780,7 +13783,7 @@
else
genericResult = strictInt52ToJSValue(m_out.zeroExt(genericResult, Int64));
} else if (genericResult->type() == Double)
- genericResult = boxDouble(genericResult);
+ genericResult = boxDouble(purifyNaN(genericResult));
results.append(m_out.anchor(genericResult));
m_out.jump(continuation);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes