[webkit-changes] [116925] trunk

Sun, 13 May 2012 23:46:30 -0700

Title: [116925] trunk
Revision
116925
Author
[email protected]
Date
2012-05-13 23:47:24 -0700 (Sun, 13 May 2012)

Log Message

DFG performs incorrect constant folding on double-to-uint32 conversion in
Uint32Array PutByVal
https://bugs.webkit.org/show_bug.cgi?id=86330

Source/_javascript_Core: 

Reviewed by Darin Adler.
        
static_cast<int>(d) is wrong, since JS semantics require us to use toInt32(d).
In particular, C++ casts on typical hardware (like x86 and similar) will
return 0x80000000 for double values that are out of range of the int32 domain
(i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call
for wrap-around; for example the double value 4294967297 ought to become the
int32 value 1, not 0x80000000.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

LayoutTests: 

Rubber stamped by Darin Adler.

* fast/js/dfg-uint32array-overflow-constant-expected.txt: Added.
* fast/js/dfg-uint32array-overflow-constant.html: Added.
* fast/js/script-tests/dfg-uint32array-overflow-constant.js: Added.
(foo):

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (116924 => 116925)


--- trunk/LayoutTests/ChangeLog	2012-05-14 06:44:52 UTC (rev 116924)
+++ trunk/LayoutTests/ChangeLog	2012-05-14 06:47:24 UTC (rev 116925)
@@ -1,3 +1,16 @@
+2012-05-13  Filip Pizlo  <[email protected]>
+
+        DFG performs incorrect constant folding on double-to-uint32 conversion in
+        Uint32Array PutByVal
+        https://bugs.webkit.org/show_bug.cgi?id=86330
+
+        Rubber stamped by Darin Adler.
+
+        * fast/js/dfg-uint32array-overflow-constant-expected.txt: Added.
+        * fast/js/dfg-uint32array-overflow-constant.html: Added.
+        * fast/js/script-tests/dfg-uint32array-overflow-constant.js: Added.
+        (foo):
+
 2012-05-13  Csaba Osztrogonác  <[email protected]>
 
         [Qt] Unreviewed gardening, skip new asserting and failing test to paint the bots green.

Added: trunk/LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt (0 => 116925)


--- trunk/LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt	2012-05-14 06:47:24 UTC (rev 116925)
@@ -0,0 +1,209 @@
+Tests that storing a value that is outside of the int32 range into a Uint32Array results in correct wrap-around.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Added: trunk/LayoutTests/fast/js/dfg-uint32array-overflow-constant.html (0 => 116925)


--- trunk/LayoutTests/fast/js/dfg-uint32array-overflow-constant.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-uint32array-overflow-constant.html	2012-05-14 06:47:24 UTC (rev 116925)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Added: trunk/LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js (0 => 116925)


--- trunk/LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js	                        (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js	2012-05-14 06:47:24 UTC (rev 116925)
@@ -0,0 +1,15 @@
+description(
+"Tests that storing a value that is outside of the int32 range into a Uint32Array results in correct wrap-around."
+);
+
+function foo(a) {
+    a[0] = 0x8005465c;
+}
+
+var array = new Uint32Array(1);
+
+for (var i = 0; i < 200; ++i) {
+    foo(array);
+    shouldBe("array[0]", "0x8005465c");
+}
+

Modified: trunk/Source/_javascript_Core/ChangeLog (116924 => 116925)


--- trunk/Source/_javascript_Core/ChangeLog	2012-05-14 06:44:52 UTC (rev 116924)
+++ trunk/Source/_javascript_Core/ChangeLog	2012-05-14 06:47:24 UTC (rev 116925)
@@ -1,3 +1,21 @@
+2012-05-13  Filip Pizlo  <[email protected]>
+
+        DFG performs incorrect constant folding on double-to-uint32 conversion in
+        Uint32Array PutByVal
+        https://bugs.webkit.org/show_bug.cgi?id=86330
+
+        Reviewed by Darin Adler.
+        
+        static_cast<int>(d) is wrong, since JS semantics require us to use toInt32(d).
+        In particular, C++ casts on typical hardware (like x86 and similar) will
+        return 0x80000000 for double values that are out of range of the int32 domain
+        (i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call
+        for wrap-around; for example the double value 4294967297 ought to become the
+        int32 value 1, not 0x80000000.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+
 2012-05-11  Gavin Barraclough  <[email protected]>
 
         Introduce PropertyName class

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (116924 => 116925)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2012-05-14 06:44:52 UTC (rev 116924)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2012-05-14 06:47:24 UTC (rev 116925)
@@ -1974,7 +1974,7 @@
         }
         GPRTemporary scratch(this);
         GPRReg scratchReg = scratch.gpr();
-        m_jit.move(Imm32(static_cast<int>(d)), scratchReg);
+        m_jit.move(Imm32(toInt32(d)), scratchReg);
         value.adopt(scratch);
         valueGPR = scratchReg;
     } else if (at(valueUse).shouldSpeculateInteger()) {

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to