Title: [241062] branches/safari-607-branch
- Revision
- 241062
- Author
- alanc...@apple.com
- Date
- 2019-02-06 14:16:34 -0800 (Wed, 06 Feb 2019)
Log Message
Cherry-pick r240681. rdar://problem/47774514
ValueRecovery::recover() should purify NaN values it recovers.
https://bugs.webkit.org/show_bug.cgi?id=193978
<rdar://problem/47625488>
Reviewed by Saam Barati.
JSTests:
* stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
Source/_javascript_Core:
According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
recovered DoubleDisplacedInJSStack values need to be purified.
ValueRecovery::recover() should do the same.
* bytecode/ValueRecovery.cpp:
(JSC::ValueRecovery::recover const):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240681 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-607-branch/JSTests/ChangeLog (241061 => 241062)
--- branches/safari-607-branch/JSTests/ChangeLog 2019-02-06 22:16:32 UTC (rev 241061)
+++ branches/safari-607-branch/JSTests/ChangeLog 2019-02-06 22:16:34 UTC (rev 241062)
@@ -1,5 +1,42 @@
2019-02-05 Alan Coon <alanc...@apple.com>
+ Cherry-pick r240681. rdar://problem/47774514
+
+ ValueRecovery::recover() should purify NaN values it recovers.
+ https://bugs.webkit.org/show_bug.cgi?id=193978
+ <rdar://problem/47625488>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
+
+ Source/_javascript_Core:
+
+ According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
+ recovered DoubleDisplacedInJSStack values need to be purified.
+ ValueRecovery::recover() should do the same.
+
+ * bytecode/ValueRecovery.cpp:
+ (JSC::ValueRecovery::recover const):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240681 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-01-29 Mark Lam <mark....@apple.com>
+
+ ValueRecovery::recover() should purify NaN values it recovers.
+ https://bugs.webkit.org/show_bug.cgi?id=193978
+ <rdar://problem/47625488>
+
+ Reviewed by Saam Barati.
+
+ * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
+
+2019-02-05 Alan Coon <alanc...@apple.com>
+
Cherry-pick r240616. rdar://problem/47774497
ToString node actually does GC.
Added: branches/safari-607-branch/JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js (0 => 241062)
--- branches/safari-607-branch/JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js (rev 0)
+++ branches/safari-607-branch/JSTests/stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js 2019-02-06 22:16:34 UTC (rev 241062)
@@ -0,0 +1,13 @@
+let buffer = new ArrayBuffer(4);
+let int32View = new Int32Array(buffer);
+int32View[0] = -1;
+let floatView = new Float32Array(buffer);
+
+function foo() {
+ let tmp = floatView[0];
+ for (let i = 0; i < 10000; ++i) { }
+ if (tmp) {}
+}
+
+for (let i = 0; i < 100; ++i)
+ foo();
Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (241061 => 241062)
--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-02-06 22:16:32 UTC (rev 241061)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-02-06 22:16:34 UTC (rev 241062)
@@ -1,5 +1,47 @@
2019-02-05 Alan Coon <alanc...@apple.com>
+ Cherry-pick r240681. rdar://problem/47774514
+
+ ValueRecovery::recover() should purify NaN values it recovers.
+ https://bugs.webkit.org/show_bug.cgi?id=193978
+ <rdar://problem/47625488>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.
+
+ Source/_javascript_Core:
+
+ According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
+ recovered DoubleDisplacedInJSStack values need to be purified.
+ ValueRecovery::recover() should do the same.
+
+ * bytecode/ValueRecovery.cpp:
+ (JSC::ValueRecovery::recover const):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240681 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-01-29 Mark Lam <mark....@apple.com>
+
+ ValueRecovery::recover() should purify NaN values it recovers.
+ https://bugs.webkit.org/show_bug.cgi?id=193978
+ <rdar://problem/47625488>
+
+ Reviewed by Saam Barati.
+
+ According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
+ recovered DoubleDisplacedInJSStack values need to be purified.
+ ValueRecovery::recover() should do the same.
+
+ * bytecode/ValueRecovery.cpp:
+ (JSC::ValueRecovery::recover const):
+
+2019-02-05 Alan Coon <alanc...@apple.com>
+
Cherry-pick r240616. rdar://problem/47774497
ToString node actually does GC.
Modified: branches/safari-607-branch/Source/_javascript_Core/bytecode/ValueRecovery.cpp (241061 => 241062)
--- branches/safari-607-branch/Source/_javascript_Core/bytecode/ValueRecovery.cpp 2019-02-06 22:16:32 UTC (rev 241061)
+++ branches/safari-607-branch/Source/_javascript_Core/bytecode/ValueRecovery.cpp 2019-02-06 22:16:34 UTC (rev 241062)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2011, 2013, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -43,7 +43,7 @@
case StrictInt52DisplacedInJSStack:
return jsNumber(exec->r(virtualRegister().offset()).unboxedStrictInt52());
case DoubleDisplacedInJSStack:
- return jsNumber(exec->r(virtualRegister().offset()).unboxedDouble());
+ return jsNumber(purifyNaN(exec->r(virtualRegister().offset()).unboxedDouble()));
case CellDisplacedInJSStack:
return exec->r(virtualRegister().offset()).unboxedCell();
case BooleanDisplacedInJSStack:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
