[webkit-changes] [WebKit/WebKit] 98940f: Cherry-pick 252432.839@safari-7614-branch (71cdc1c...

Mon, 19 Dec 2022 17:34:13 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 98940f219ba0e3eb6d958af483b73dd9cc75c28c
      
https://github.com/WebKit/WebKit/commit/98940f219ba0e3eb6d958af483b73dd9cc75c28c
  Author: Mark Lam <[email protected]>
  Date:   2022-12-19 (Mon, 19 Dec 2022)

  Changed paths:
    A JSTests/stress/speculate-real-number-in-object-is.js
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Cherry-pick 252432.839@safari-7614-branch (71cdc1c09ef1). rdar://102531234

    The provenType filtering in FTL's speculateRealNumber is incorrect.
    https://bugs.webkit.org/show_bug.cgi?id=248266
    <rdar://problem/102531234>

    Reviewed by Justin Michaud.

    speculateRealNumber does a doubleEqual compare, which filters out double 
values which
    are not NaN.  NaN values will fall through to the `intCase` block.  In the 
`intCase` block,
    the isNotInt32() check there was given a proven type that wrongly filters 
out ~SpecFullDouble.

    Consider a scenario where the edge was proven to be { SpecInt32Only, 
SpecDoubleReal,
    SpecDoublePureNaN }.  SpecFullDouble is defined as SpecDoubleReal | 
SpecDoubleNaN, and
    SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN.  
Hence, the filtering
    of the proven type with ~SpecFullDouble means that isNotInt32() will 
effectively be given
    a proven type of

        { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { 
SpecDoubleReal, SpecDoublePureNaN }

    which yields

        { SpecInt32Only }.

    As a result, the compiler will think that that isNotIn32() check will 
always fail.  This
    is not correct if the actual incoming value for that edge is actually a 
PureNaN.  In this
    case, speculateRealNumber should have OSR exited, but it doesn't because it 
thinks that
    the isNotInt32() check will always fail and elide the check altogether.

    In this patch, we fix this by replacing the ~SpecFullDouble with 
~SpecDoubleReal.  We also
    rename the `intCase` block to `intOrNaNCase` to document what it actually 
handles.

    * JSTests/stress/speculate-real-number-in-object-is.js: Added.
    (test.object_is_opt):
    (test):
    * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

    Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch

Canonical link: https://commits.webkit.org/258113@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to