WebKit Bugzilla
Attachment 349086 Details for
Bug 189380
: Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
189380.patch (text/plain), 2.67 KB, created by
Michael Saboff
on 2018-09-06 16:00:21 PDT
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Michael Saboff
Created:
2018-09-06 16:00:21 PDT
Size:
2.67 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 235763) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,16 @@ >+2018-09-06 Michael Saboff <msaboff@apple.com> >+ >+ Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter >+ https://bugs.webkit.org/show_bug.cgi?id=189380 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ New test. >+ >+ * stress/math-pow-nan-to-zero-spec-type.js: Added. >+ (func): >+ (test): >+ > 2018-09-06 Mark Lam <mark.lam@apple.com> > > Gardening: Move regress-189185.js under JSTests/wasm. >Index: JSTests/stress/math-pow-nan-to-zero-spec-type.js >=================================================================== >--- JSTests/stress/math-pow-nan-to-zero-spec-type.js (nonexistent) >+++ JSTests/stress/math-pow-nan-to-zero-spec-type.js (working copy) >@@ -0,0 +1,21 @@ >+// Verify that we have the correct speculation checks for Math.pow(NaN, 0). >+ >+function func(x) { >+ return fiatInt52(Math.pow(NaN, (x > 1))); >+}; >+ >+noInline(func); >+ >+function test(f) >+{ >+ for (let i = 0; i < 10000; ++i) { >+ if (f(0) != 1) >+ throw "Wrong expected value"; >+ >+ if (f(1) != 1) >+ throw "Wrong expected value"; >+ } >+} >+ >+test(func); >+ >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 235685) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,15 @@ >+2018-09-06 Michael Saboff <msaboff@apple.com> >+ >+ Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter >+ https://bugs.webkit.org/show_bug.cgi?id=189380 >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ Account for the case where in Math.pow(NaN, y) where y could be 0. >+ >+ * bytecode/SpeculatedType.cpp: >+ (JSC::typeOfDoublePow): >+ > 2018-09-04 Keith Miller <keith_miller@apple.com> > > RELEASE_ASSERT at ../../Source/JavaScriptCore/heap/MarkedSpace.h:83 >Index: Source/JavaScriptCore/bytecode/SpeculatedType.cpp >=================================================================== >--- Source/JavaScriptCore/bytecode/SpeculatedType.cpp (revision 235685) >+++ Source/JavaScriptCore/bytecode/SpeculatedType.cpp (working copy) >@@ -697,6 +697,9 @@ SpeculatedType typeOfDoublePow(Speculate > // We always set a pure NaN in that case. > if (yValue & SpecDoubleNaN) > xValue |= SpecDoublePureNaN; >+ // Handle the wierd case of NaN ^ 0, which returns 1. See https://tc39.github.io/ecma262/#sec-applying-the-exp-operator >+ if (xValue & SpecDoubleNaN) >+ xValue |= SpecFullDouble; > return polluteDouble(xValue); > } >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=349086">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 189380
: 349086