Title: [235765] trunk
- Revision
- 235765
- Author
- msab...@apple.com
- Date
- 2018-09-06 16:44:49 -0700 (Thu, 06 Sep 2018)
Log Message
Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
https://bugs.webkit.org/show_bug.cgi?id=189380
Reviewed by Saam Barati.
JSTests:
New test.
* stress/math-pow-nan-to-zero-spec-type.js: Added.
(func):
(test):
Source/_javascript_Core:
Account for the case where in Math.pow(NaN, y) where y could be 0.
* bytecode/SpeculatedType.cpp:
(JSC::typeOfDoublePow):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (235764 => 235765)
--- trunk/JSTests/ChangeLog 2018-09-06 23:25:39 UTC (rev 235764)
+++ trunk/JSTests/ChangeLog 2018-09-06 23:44:49 UTC (rev 235765)
@@ -1,3 +1,16 @@
+2018-09-06 Michael Saboff <msab...@apple.com>
+
+ Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
+ https://bugs.webkit.org/show_bug.cgi?id=189380
+
+ Reviewed by Saam Barati.
+
+ New test.
+
+ * stress/math-pow-nan-to-zero-spec-type.js: Added.
+ (func):
+ (test):
+
2018-09-06 Mark Lam <mark....@apple.com>
Gardening: Move regress-189185.js under JSTests/wasm.
Added: trunk/JSTests/stress/math-pow-nan-to-zero-spec-type.js (0 => 235765)
--- trunk/JSTests/stress/math-pow-nan-to-zero-spec-type.js (rev 0)
+++ trunk/JSTests/stress/math-pow-nan-to-zero-spec-type.js 2018-09-06 23:44:49 UTC (rev 235765)
@@ -0,0 +1,21 @@
+// Verify that we have the correct speculation checks for Math.pow(NaN, 0).
+
+function func(x) {
+ return fiatInt52(Math.pow(NaN, (x > 1)));
+};
+
+noInline(func);
+
+function test(f)
+{
+ for (let i = 0; i < 10000; ++i) {
+ if (f(0) != 1)
+ throw "Wrong expected value";
+
+ if (f(1) != 1)
+ throw "Wrong expected value";
+ }
+}
+
+test(func);
+
Modified: trunk/Source/_javascript_Core/ChangeLog (235764 => 235765)
--- trunk/Source/_javascript_Core/ChangeLog 2018-09-06 23:25:39 UTC (rev 235764)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-09-06 23:44:49 UTC (rev 235765)
@@ -1,3 +1,15 @@
+2018-09-06 Michael Saboff <msab...@apple.com>
+
+ Improper speculation type for Math.pow(NaN, 0) in Abstract Interpreter
+ https://bugs.webkit.org/show_bug.cgi?id=189380
+
+ Reviewed by Saam Barati.
+
+ Account for the case where in Math.pow(NaN, y) where y could be 0.
+
+ * bytecode/SpeculatedType.cpp:
+ (JSC::typeOfDoublePow):
+
2018-09-06 Mark Lam <mark....@apple.com>
Gardening: only visit m_cachedStructureID if it's not null.
Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp (235764 => 235765)
--- trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp 2018-09-06 23:25:39 UTC (rev 235764)
+++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.cpp 2018-09-06 23:44:49 UTC (rev 235765)
@@ -697,6 +697,9 @@
// We always set a pure NaN in that case.
if (yValue & SpecDoubleNaN)
xValue |= SpecDoublePureNaN;
+ // Handle the wierd case of NaN ^ 0, which returns 1. See https://tc39.github.io/ecma262/#sec-applying-the-exp-operator
+ if (xValue & SpecDoubleNaN)
+ xValue |= SpecFullDouble;
return polluteDouble(xValue);
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
