Skip to site navigation (Press enter)

[webkit-changes] [117156] branches/safari-536-branch

lforschler Tue, 15 May 2012 14:17:09 -0700

Title: [117156] branches/safari-536-branch

Revision: 117156
Author: [email protected]
Date: 2012-05-15 14:16:52 -0700 (Tue, 15 May 2012)

Log Message

Merged r116925.


Modified Paths

branches/safari-536-branch/LayoutTests/ChangeLog
branches/safari-536-branch/Source/_javascript_Core/ChangeLog
branches/safari-536-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp


Added Paths

branches/safari-536-branch/LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt
branches/safari-536-branch/LayoutTests/fast/js/dfg-uint32array-overflow-constant.html
branches/safari-536-branch/LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js

Diff

Modified: branches/safari-536-branch/LayoutTests/ChangeLog (117155 => 117156)


--- branches/safari-536-branch/LayoutTests/ChangeLog	2012-05-15 21:14:58 UTC (rev 117155)
+++ branches/safari-536-branch/LayoutTests/ChangeLog	2012-05-15 21:16:52 UTC (rev 117156)
@@ -1,5 +1,22 @@
 2012-05-15  Lucas Forschler  <[email protected]>
 
+    Merge 116925
+
+    2012-05-13  Filip Pizlo  <[email protected]>
+
+            DFG performs incorrect constant folding on double-to-uint32 conversion in
+            Uint32Array PutByVal
+            https://bugs.webkit.org/show_bug.cgi?id=86330
+
+            Rubber stamped by Darin Adler.
+
+            * fast/js/dfg-uint32array-overflow-constant-expected.txt: Added.
+            * fast/js/dfg-uint32array-overflow-constant.html: Added.
+            * fast/js/script-tests/dfg-uint32array-overflow-constant.js: Added.
+            (foo):
+
+2012-05-15  Lucas Forschler  <[email protected]>
+
     Merge 116821
 
     2012-05-10  Timothy Hatcher  <[email protected]>

Copied: branches/safari-536-branch/LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt (from rev 116925, trunk/LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt) (0 => 117156)


--- branches/safari-536-branch/LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt	                        (rev 0)
+++ branches/safari-536-branch/LayoutTests/fast/js/dfg-uint32array-overflow-constant-expected.txt	2012-05-15 21:16:52 UTC (rev 117156)
@@ -0,0 +1,209 @@
+Tests that storing a value that is outside of the int32 range into a Uint32Array results in correct wrap-around.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS array[0] is 0x8005465c
+PASS successfullyParsed is true
+
+TEST COMPLETE
+

Copied: branches/safari-536-branch/LayoutTests/fast/js/dfg-uint32array-overflow-constant.html (from rev 116925, trunk/LayoutTests/fast/js/dfg-uint32array-overflow-constant.html) (0 => 117156)


--- branches/safari-536-branch/LayoutTests/fast/js/dfg-uint32array-overflow-constant.html	                        (rev 0)
+++ branches/safari-536-branch/LayoutTests/fast/js/dfg-uint32array-overflow-constant.html	2012-05-15 21:16:52 UTC (rev 117156)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>

Copied: branches/safari-536-branch/LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js (from rev 116925, trunk/LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js) (0 => 117156)


--- branches/safari-536-branch/LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js	                        (rev 0)
+++ branches/safari-536-branch/LayoutTests/fast/js/script-tests/dfg-uint32array-overflow-constant.js	2012-05-15 21:16:52 UTC (rev 117156)
@@ -0,0 +1,15 @@
+description(
+"Tests that storing a value that is outside of the int32 range into a Uint32Array results in correct wrap-around."
+);
+
+function foo(a) {
+    a[0] = 0x8005465c;
+}
+
+var array = new Uint32Array(1);
+
+for (var i = 0; i < 200; ++i) {
+    foo(array);
+    shouldBe("array[0]", "0x8005465c");
+}
+

Modified: branches/safari-536-branch/Source/_javascript_Core/ChangeLog (117155 => 117156)


--- branches/safari-536-branch/Source/_javascript_Core/ChangeLog	2012-05-15 21:14:58 UTC (rev 117155)
+++ branches/safari-536-branch/Source/_javascript_Core/ChangeLog	2012-05-15 21:16:52 UTC (rev 117156)
@@ -1,5 +1,27 @@
 2012-05-15  Lucas Forschler  <[email protected]>
 
+    Merge 116925
+
+    2012-05-13  Filip Pizlo  <[email protected]>
+
+            DFG performs incorrect constant folding on double-to-uint32 conversion in
+            Uint32Array PutByVal
+            https://bugs.webkit.org/show_bug.cgi?id=86330
+
+            Reviewed by Darin Adler.
+
+            static_cast<int>(d) is wrong, since JS semantics require us to use toInt32(d).
+            In particular, C++ casts on typical hardware (like x86 and similar) will
+            return 0x80000000 for double values that are out of range of the int32 domain
+            (i.e. less than -2^31 or greater than or equal to 2^31). But JS semantics call
+            for wrap-around; for example the double value 4294967297 ought to become the
+            int32 value 1, not 0x80000000.
+
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+
+2012-05-15  Lucas Forschler  <[email protected]>
+
     Merge 116809
 
     2012-05-11  Geoffrey Garen  <[email protected]>

Modified: branches/safari-536-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (117155 => 117156)


--- branches/safari-536-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2012-05-15 21:14:58 UTC (rev 117155)
+++ branches/safari-536-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2012-05-15 21:16:52 UTC (rev 117156)
@@ -1974,7 +1974,7 @@
         }
         GPRTemporary scratch(this);
         GPRReg scratchReg = scratch.gpr();
-        m_jit.move(Imm32(static_cast<int>(d)), scratchReg);
+        m_jit.move(Imm32(toInt32(d)), scratchReg);
         value.adopt(scratch);
         valueGPR = scratchReg;
     } else if (at(valueUse).shouldSpeculateInteger()) {

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes