Skip to site navigation (Press enter)

[webkit-changes] [282653] releases/WebKitGTK/webkit-2.34/Source/JavaScriptCore

carlosgc Fri, 17 Sep 2021 03:34:24 -0700

Title: [282653] releases/WebKitGTK/webkit-2.34/Source/_javascript_Core

Revision: 282653
Author: [email protected]
Date: 2021-09-17 03:33:33 -0700 (Fri, 17 Sep 2021)

Log Message

Merge r281933 - Fix IndexedDoubleStore InlineAccess for 32 bits
https://bugs.webkit.org/show_bug.cgi?id=229772


Patch by Mikhail R. Gadelha <[email protected]> on 2021-09-02
Reviewed by Caio Araujo Neponoceno de Lima.

In IndexedDoubleStore inline access, the path if the value is NaN
is only being handled in 64 bits, thus introducing some wrong
results in 32 bits. This patch fixes:

stress/double-add-sub-mul-can-produce-nan.js
stress/pow-stable-results.js
stress/math-pow-stable-results.js

* bytecode/AccessCase.cpp:
(JSC::AccessCase::generateWithGuard):

Modified Paths

releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/bytecode/AccessCase.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog (282652 => 282653)


--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog	2021-09-17 10:33:30 UTC (rev 282652)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/ChangeLog	2021-09-17 10:33:33 UTC (rev 282653)
@@ -1,3 +1,21 @@
+2021-09-02  Mikhail R. Gadelha  <[email protected]>
+
+        Fix IndexedDoubleStore InlineAccess for 32 bits
+        https://bugs.webkit.org/show_bug.cgi?id=229772
+
+        Reviewed by Caio Araujo Neponoceno de Lima.
+
+        In IndexedDoubleStore inline access, the path if the value is NaN
+        is only being handled in 64 bits, thus introducing some wrong 
+        results in 32 bits. This patch fixes:
+
+        stress/double-add-sub-mul-can-produce-nan.js
+        stress/pow-stable-results.js
+        stress/math-pow-stable-results.js
+
+        * bytecode/AccessCase.cpp:
+        (JSC::AccessCase::generateWithGuard):
+
 2021-09-16  Mikhail R. Gadelha  <[email protected]>
 
         Fix crash in 32 bits due to not enough scratch registers available

Modified: releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/bytecode/AccessCase.cpp (282652 => 282653)


--- releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/bytecode/AccessCase.cpp	2021-09-17 10:33:30 UTC (rev 282652)
+++ releases/WebKitGTK/webkit-2.34/Source/_javascript_Core/bytecode/AccessCase.cpp	2021-09-17 10:33:33 UTC (rev 282653)
@@ -1518,11 +1518,10 @@
                 notInt.link(&jit);
 #if USE(JSVALUE64)
                 jit.unboxDoubleWithoutAssertions(valueRegs.payloadGPR(), scratch2GPR, state.scratchFPR);
-                failAndRepatch.append(jit.branchIfNaN(state.scratchFPR));
 #else
-                failAndRepatch.append(jit.branch32(CCallHelpers::Above, valueRegs.tagGPR(), CCallHelpers::TrustedImm32(JSValue::LowestTag)));
                 jit.unboxDouble(valueRegs, state.scratchFPR);
 #endif
+                failAndRepatch.append(jit.branchIfNaN(state.scratchFPR));
                 ready.link(&jit);
 
                 jit.zeroExtend32ToWord(propertyGPR, scratch2GPR);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes