[Webkit-unassigned] [Bug 203406] Chakracore test max.js broken in armv7 and mips builds of JSC
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 21 09:51:39 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=203406
--- Comment #9 from Mark Lam <mark.lam at apple.com> ---
(In reply to Xan Lopez from comment #8)
> Hey, a bit more info about this:
>
> On x86-64 what's happening is that with the eager parameters we optimize the
> Math.max call, using what's in DFGSpeculativeJIT. For that platform the
> Math.max check is done with two comparisons, using the UCOMISD instruction.
> This instruction says 0.0 and -0.0 are equal, so the function just returns
> whatever value (which randomly turns out to be -0.0). This is wrong and
> gives us the -Infinity.
>
> (I have not checked but I assume something similar is happening in other
> architectures)
>
> A couple of questions:
> - I assume the fact that the DFG Math.max cannot do this properly is
> intentional? The code has been there for a while. In that case I suppose the
> bug is that we end up there.
> - If it's not intentional I guess we just figured out and need to change it.
> - I really don't understand how the BytecodeIndex patch ended up causing
> this.
It is incorrect for ArithMax to treat -0 as the same as 0. ArithMax is supposed to work like Math.max(), and https://www.ecma-international.org/ecma-262/6.0/#sec-math.max says that Math.max() should treat 0 > -0. Thanks for pointing out this issue.
We'll address this issue for x86_64 (and Apple supported ports) in https://bugs.webkit.org/show_bug.cgi?id=204457.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191121/da1a9b90/attachment.htm>
More information about the webkit-unassigned
mailing list