WebKit Bugzilla
Attachment 360496 Details for
Bug 193978
: ValueRecovery::recover() should purify NaN values it recovers.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-193978.patch (text/plain), 3.23 KB, created by
Mark Lam
on 2019-01-29 13:47:14 PST
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2019-01-29 13:47:14 PST
Size:
3.23 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 240678) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2019-01-29 Mark Lam <mark.lam@apple.com> >+ >+ ValueRecovery::recover() should purify NaN values it recovers. >+ https://bugs.webkit.org/show_bug.cgi?id=193978 >+ <rdar://problem/47625488> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added. >+ > 2019-01-28 Yusuke Suzuki <ysuzuki@apple.com> > > Unreviewed, fix the test after r240543 not to use @Error / Error in builtins >Index: JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js >=================================================================== >--- JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js (nonexistent) >+++ JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js (working copy) >@@ -0,0 +1,13 @@ >+let buffer = new ArrayBuffer(4); >+let int32View = new Int32Array(buffer); >+int32View[0] = -1; >+let floatView = new Float32Array(buffer); >+ >+function foo() { >+ let tmp = floatView[0]; >+ for (let i = 0; i < 10000; ++i) { } >+ if (tmp) {} >+} >+ >+for (let i = 0; i < 100; ++i) >+ foo(); >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 240677) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,18 @@ >+2019-01-29 Mark Lam <mark.lam@apple.com> >+ >+ ValueRecovery::recover() should purify NaN values it recovers. >+ https://bugs.webkit.org/show_bug.cgi?id=193978 >+ <rdar://problem/47625488> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(), >+ recovered DoubleDisplacedInJSStack values need to be purified. >+ ValueRecovery::recover() should do the same. >+ >+ * bytecode/ValueRecovery.cpp: >+ (JSC::ValueRecovery::recover const): >+ > 2019-01-29 Keith Rollin <krollin@apple.com> > > Add .xcfilelists to Run Script build phases >Index: Source/JavaScriptCore/bytecode/ValueRecovery.cpp >=================================================================== >--- Source/JavaScriptCore/bytecode/ValueRecovery.cpp (revision 240675) >+++ Source/JavaScriptCore/bytecode/ValueRecovery.cpp (working copy) >@@ -1,5 +1,5 @@ > /* >- * Copyright (C) 2011, 2013, 2015 Apple Inc. All rights reserved. >+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved. > * > * Redistribution and use in source and binary forms, with or without > * modification, are permitted provided that the following conditions >@@ -43,7 +43,7 @@ JSValue ValueRecovery::recover(ExecState > case StrictInt52DisplacedInJSStack: > return jsNumber(exec->r(virtualRegister().offset()).unboxedStrictInt52()); > case DoubleDisplacedInJSStack: >- return jsNumber(exec->r(virtualRegister().offset()).unboxedDouble()); >+ return jsNumber(purifyNaN(exec->r(virtualRegister().offset()).unboxedDouble())); > case CellDisplacedInJSStack: > return exec->r(virtualRegister().offset()).unboxedCell(); > case BooleanDisplacedInJSStack:
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=360496">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
saam
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 193978
: 360496