Diff
Modified: trunk/LayoutTests/ChangeLog (164460 => 164461)
--- trunk/LayoutTests/ChangeLog 2014-02-21 01:50:03 UTC (rev 164460)
+++ trunk/LayoutTests/ChangeLog 2014-02-21 02:01:28 UTC (rev 164461)
@@ -1,3 +1,15 @@
+2014-02-20 Geoffrey Garen <[email protected]>
+
+ Math.imul gives wrong results
+ https://bugs.webkit.org/show_bug.cgi?id=126345
+
+ Reviewed by Mark Hahnenberg.
+
+ Test this edge case of a double just outside the int range.
+
+ * js/dom/imul-expected.txt:
+ * js/dom/script-tests/imul.js:
+
2014-02-20 Brady Eidson <[email protected]>
Add very basic image control rendering
Modified: trunk/LayoutTests/js/dom/imul-expected.txt (164460 => 164461)
--- trunk/LayoutTests/js/dom/imul-expected.txt 2014-02-21 01:50:03 UTC (rev 164460)
+++ trunk/LayoutTests/js/dom/imul-expected.txt 2014-02-21 02:01:28 UTC (rev 164461)
@@ -21,6 +21,7 @@
PASS Math.imul(Infinity, -Infinity) is 0
PASS Math.imul(-Infinity, Infinity) is 0
PASS Math.imul(-Infinity, -Infinity) is 0
+PASS Math.imul(0xffffffff, 5) is -5
PASS testIMul(2,2,10000) is 40000
PASS testIMul(2.5,2,10000) is 40000
PASS testIMul(2,2.5,10000) is 40000
Modified: trunk/LayoutTests/js/dom/script-tests/imul.js (164460 => 164461)
--- trunk/LayoutTests/js/dom/script-tests/imul.js 2014-02-21 01:50:03 UTC (rev 164460)
+++ trunk/LayoutTests/js/dom/script-tests/imul.js 2014-02-21 02:01:28 UTC (rev 164461)
@@ -20,6 +20,7 @@
shouldBe("Math.imul(Infinity, -Infinity)", "0");
shouldBe("Math.imul(-Infinity, Infinity)", "0");
shouldBe("Math.imul(-Infinity, -Infinity)", "0");
+shouldBe("Math.imul(0xffffffff, 5)", "-5");
function testIMul(left, right, count)
{
Modified: trunk/Source/_javascript_Core/ChangeLog (164460 => 164461)
--- trunk/Source/_javascript_Core/ChangeLog 2014-02-21 01:50:03 UTC (rev 164460)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-02-21 02:01:28 UTC (rev 164461)
@@ -1,3 +1,16 @@
+2014-02-20 Geoffrey Garen <[email protected]>
+
+ Math.imul gives wrong results
+ https://bugs.webkit.org/show_bug.cgi?id=126345
+
+ Reviewed by Mark Hahnenberg.
+
+ Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
+ Instead, take a slow path that will do the right thing.
+
+ * jit/ThunkGenerators.cpp:
+ (JSC::imulThunkGenerator):
+
2014-02-20 Filip Pizlo <[email protected]>
DFG should do its own static estimates of execution frequency before it starts creating OSR entrypoints
Modified: trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp (164460 => 164461)
--- trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2014-02-21 01:50:03 UTC (rev 164460)
+++ trunk/Source/_javascript_Core/jit/ThunkGenerators.cpp 2014-02-21 02:01:28 UTC (rev 164461)
@@ -924,8 +924,7 @@
nonIntArg0Jump.link(&jit);
jit.loadDoubleArgument(0, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT0);
jit.branchTruncateDoubleToInt32(SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT0, SpecializedThunkJIT::BranchIfTruncateSuccessful).linkTo(doneLoadingArg0, &jit);
- jit.xor32(SpecializedThunkJIT::regT0, SpecializedThunkJIT::regT0);
- jit.jump(doneLoadingArg0);
+ jit.appendFailure(jit.jump());
} else
jit.appendFailure(nonIntArg0Jump);
@@ -933,8 +932,7 @@
nonIntArg1Jump.link(&jit);
jit.loadDoubleArgument(1, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT1);
jit.branchTruncateDoubleToInt32(SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT1, SpecializedThunkJIT::BranchIfTruncateSuccessful).linkTo(doneLoadingArg1, &jit);
- jit.xor32(SpecializedThunkJIT::regT1, SpecializedThunkJIT::regT1);
- jit.jump(doneLoadingArg1);
+ jit.appendFailure(jit.jump());
} else
jit.appendFailure(nonIntArg1Jump);
