[webkit-changes] [WebKit/WebKit] 98940f: Cherry-pick 252432.839 at safari-7614-branch (71cdc1c...

EWS noreply at github.com
Mon Dec 19 17:34:00 PST 2022 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 98940f219ba0e3eb6d958af483b73dd9cc75c28c
      https://github.com/WebKit/WebKit/commit/98940f219ba0e3eb6d958af483b73dd9cc75c28c
  Author: Mark Lam <mark.lam at apple.com>
  Date:   2022-12-19 (Mon, 19 Dec 2022)

  Changed paths:
    A JSTests/stress/speculate-real-number-in-object-is.js
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  Cherry-pick 252432.839 at safari-7614-branch (71cdc1c09ef1). rdar://102531234

    The provenType filtering in FTL's speculateRealNumber is incorrect.
    https://bugs.webkit.org/show_bug.cgi?id=248266
    <rdar://problem/102531234>

    Reviewed by Justin Michaud.

    speculateRealNumber does a doubleEqual compare, which filters out double values which
    are not NaN.  NaN values will fall through to the `intCase` block.  In the `intCase` block,
    the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble.

    Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal,
    SpecDoublePureNaN }.  SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and
    SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN.  Hence, the filtering
    of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given
    a proven type of

        { SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN }

    which yields

        { SpecInt32Only }.

    As a result, the compiler will think that that isNotIn32() check will always fail.  This
    is not correct if the actual incoming value for that edge is actually a PureNaN.  In this
    case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that
    the isNotInt32() check will always fail and elide the check altogether.

    In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal.  We also
    rename the `intCase` block to `intOrNaNCase` to document what it actually handles.

    * JSTests/stress/speculate-real-number-in-object-is.js: Added.
    (test.object_is_opt):
    (test):
    * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

    Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch

Canonical link: https://commits.webkit.org/258113@main

More information about the webkit-changes mailing list