Skip to site navigation (Press enter)

[webkit-changes] [260720] trunk

ysuzuki Sat, 25 Apr 2020 21:45:45 -0700

Title: [260720] trunk

Revision: 260720
Author: [email protected]
Date: 2020-04-25 21:44:22 -0700 (Sat, 25 Apr 2020)

Log Message

[JSC] Handle BigInt32 INT32_MIN shift amount
https://bugs.webkit.org/show_bug.cgi?id=211030


Reviewed by Darin Adler.

JSTests:

* stress/bigint-int32-min-shift.js: Added.
(shouldBe):
(shouldThrow):

Source/_javascript_Core:

Our BigInt shift-operation does not correctly handle INT32_MIN shift amount, and producing a wrong result.
This patch fixes it.

* runtime/Operations.h:
(JSC::shift):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/Operations.h

Added Paths

trunk/JSTests/stress/bigint-int32-min-shift.js

Diff

Modified: trunk/JSTests/ChangeLog (260719 => 260720)


--- trunk/JSTests/ChangeLog	2020-04-26 04:09:15 UTC (rev 260719)
+++ trunk/JSTests/ChangeLog	2020-04-26 04:44:22 UTC (rev 260720)
@@ -1,5 +1,16 @@
 2020-04-25  Yusuke Suzuki  <[email protected]>
 
+        [JSC] Handle BigInt32 INT32_MIN shift amount
+        https://bugs.webkit.org/show_bug.cgi?id=211030
+
+        Reviewed by Darin Adler.
+
+        * stress/bigint-int32-min-shift.js: Added.
+        (shouldBe):
+        (shouldThrow):
+
+2020-04-25  Yusuke Suzuki  <[email protected]>
+
         [JSC] Add fast path for BigInt32 left-shift
         https://bugs.webkit.org/show_bug.cgi?id=211029

Added: trunk/JSTests/stress/bigint-int32-min-shift.js (0 => 260720)


--- trunk/JSTests/stress/bigint-int32-min-shift.js	                        (rev 0)
+++ trunk/JSTests/stress/bigint-int32-min-shift.js	2020-04-26 04:44:22 UTC (rev 260720)
@@ -0,0 +1,49 @@
+function shouldBe(actual, expected) {
+    if (actual !== expected)
+        throw new Error('bad value: ' + actual);
+}
+
+function shouldThrow(func, errorMessage) {
+    var errorThrown = false;
+    var error = null;
+    try {
+        func();
+    } catch (e) {
+        errorThrown = true;
+        error = e;
+    }
+    if (!errorThrown)
+        throw new Error('not thrown');
+    if (String(error) !== errorMessage)
+        throw new Error(`bad error: ${String(error)}`);
+}
+
+let int32min = -0x7fffffffn - 1n;
+shouldBe(0n >> int32min, 0n);
+shouldBe(0n >> (int32min + 1n), 0n);
+shouldBe(0n << int32min, 0n);
+shouldBe(0n << (int32min + 1n), 0n);
+shouldBe(1n << int32min, 0n);
+shouldBe(1n << (int32min + 1n), 0n);
+shouldBe(-1n << int32min, -1n);
+shouldBe(-1n << (int32min + 1n), -1n);
+shouldBe(0x7fffffffn << int32min, 0n);
+shouldBe(0x7fffffffn << (int32min + 1n), 0n);
+shouldBe(0x7fffffffffffn << int32min, 0n);
+shouldBe(0x7fffffffffffn << (int32min + 1n), 0n);
+shouldBe(-0x7fffffffn << int32min, -1n);
+shouldBe(-0x7fffffffn << (int32min + 1n), -1n);
+shouldBe(-0x7fffffffffffn << int32min, -1n);
+shouldBe(-0x7fffffffffffn << (int32min + 1n), -1n);
+shouldThrow(() => {
+    1n >> int32min;
+}, `RangeError: BigInt generated from this operation is too big`);
+shouldThrow(() => {
+    -1n >> int32min;
+}, `RangeError: BigInt generated from this operation is too big`);
+shouldThrow(() => {
+    0x7fffffffn >> int32min;
+}, `RangeError: BigInt generated from this operation is too big`);
+shouldThrow(() => {
+    (-0x7fffffffn - 1n) >> int32min;
+}, `RangeError: BigInt generated from this operation is too big`);

Modified: trunk/Source/_javascript_Core/ChangeLog (260719 => 260720)


--- trunk/Source/_javascript_Core/ChangeLog	2020-04-26 04:09:15 UTC (rev 260719)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-04-26 04:44:22 UTC (rev 260720)
@@ -1,3 +1,16 @@
+2020-04-25  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Handle BigInt32 INT32_MIN shift amount
+        https://bugs.webkit.org/show_bug.cgi?id=211030
+
+        Reviewed by Darin Adler.
+
+        Our BigInt shift-operation does not correctly handle INT32_MIN shift amount, and producing a wrong result.
+        This patch fixes it.
+
+        * runtime/Operations.h:
+        (JSC::shift):
+
 2020-04-25  Darin Adler  <[email protected]>
 
         [Cocoa] Deal with another round of Xcode upgrade checks

Modified: trunk/Source/_javascript_Core/runtime/Operations.h (260719 => 260720)


--- trunk/Source/_javascript_Core/runtime/Operations.h	2020-04-26 04:09:15 UTC (rev 260719)
+++ trunk/Source/_javascript_Core/runtime/Operations.h	2020-04-26 04:44:22 UTC (rev 260720)
@@ -762,7 +762,10 @@
         int32_t rightInt32 = rightNumeric.bigInt32AsInt32();
         if (rightInt32 < 0) {
             isLeft = !isLeft;
-            rightInt32 = -rightInt32;
+            if (rightInt32 == INT32_MIN)
+                rightInt32 = INT32_MAX; // Shifts one less than requested, but makes no observable difference.
+            else
+                rightInt32 = -rightInt32;
         }
         ASSERT(rightInt32 >= 0);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes