Changeset 164461 in webkit

Timestamp:

Feb 20, 2014 6:01:28 PM (10 years ago)

Author:

ggaren@apple.com

Message:

Math.imul gives wrong results
​https://bugs.webkit.org/show_bug.cgi?id=126345

Reviewed by Mark Hahnenberg.

Source/JavaScriptCore:

Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
Instead, take a slow path that will do the right thing.

• jit/ThunkGenerators.cpp:

(JSC::imulThunkGenerator):

LayoutTests:

Test this edge case of a double just outside the int range.

• js/dom/imul-expected.txt:
• js/dom/script-tests/imul.js:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/dom/imul-expected.txt (modified) (1 diff)
• LayoutTests/js/dom/script-tests/imul.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/jit/ThunkGenerators.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-02-20  Geoffrey Garen  <ggaren@apple.com>
+
+        Math.imul gives wrong results
+        https://bugs.webkit.org/show_bug.cgi?id=126345
+
+        Reviewed by Mark Hahnenberg.
+
+        Test this edge case of a double just outside the int range.
+
+        * js/dom/imul-expected.txt:
+        * js/dom/script-tests/imul.js:
+
 2014-02-20  Brady Eidson  <beidson@apple.com>
 

trunk/LayoutTests/js/dom/imul-expected.txt

@@ -22 +22 @@
 PASS Math.imul(-Infinity, Infinity) is 0
 PASS Math.imul(-Infinity, -Infinity) is 0
+PASS Math.imul(0xffffffff, 5) is -5
 PASS testIMul(2,2,10000) is 40000
 PASS testIMul(2.5,2,10000) is 40000

trunk/LayoutTests/js/dom/script-tests/imul.js

@@ -21 +21 @@
 shouldBe("Math.imul(-Infinity, Infinity)", "0");
 shouldBe("Math.imul(-Infinity, -Infinity)", "0");
+shouldBe("Math.imul(0xffffffff, 5)", "-5");
 
 function testIMul(left, right, count)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-02-20  Geoffrey Garen  <ggaren@apple.com>
+
+        Math.imul gives wrong results
+        https://bugs.webkit.org/show_bug.cgi?id=126345
+
+        Reviewed by Mark Hahnenberg.
+
+        Don't truncate non-int doubles to 0 -- that's just not how ToInt32 works.
+        Instead, take a slow path that will do the right thing.
+
+        * jit/ThunkGenerators.cpp:
+        (JSC::imulThunkGenerator):
+
 2014-02-20  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/jit/ThunkGenerators.cpp

@@ -925 +925 @@
         jit.loadDoubleArgument(0, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT0);
         jit.branchTruncateDoubleToInt32(SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT0, SpecializedThunkJIT::BranchIfTruncateSuccessful).linkTo(doneLoadingArg0, &jit);
-        jit.xor32(SpecializedThunkJIT::regT0, SpecializedThunkJIT::regT0);
-        jit.jump(doneLoadingArg0);
+        jit.appendFailure(jit.jump());
     } else
         jit.appendFailure(nonIntArg0Jump);
@@ -934 +933 @@
         jit.loadDoubleArgument(1, SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT1);
         jit.branchTruncateDoubleToInt32(SpecializedThunkJIT::fpRegT0, SpecializedThunkJIT::regT1, SpecializedThunkJIT::BranchIfTruncateSuccessful).linkTo(doneLoadingArg1, &jit);
-        jit.xor32(SpecializedThunkJIT::regT1, SpecializedThunkJIT::regT1);
-        jit.jump(doneLoadingArg1);
+        jit.appendFailure(jit.jump());
     } else
         jit.appendFailure(nonIntArg1Jump);