Ignore:
Timestamp:
Dec 23, 2011, 1:05:46 PM (13 years ago)
Author:
[email protected]
Message:

DFG does double-to-int conversion incorrectly when storing into int typed arrays
https://bugs.webkit.org/show_bug.cgi?id=75164
<rdar://problem/10557547>

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

  • assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::branchTruncateDoubleToUint32):

  • assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::branchTruncateDoubleToUint32):
(JSC::MacroAssemblerX86Common::truncateDoubleToUint32):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

LayoutTests:

  • fast/js/dfg-int32array-overflow-values-expected.txt: Added.
  • fast/js/dfg-int32array-overflow-values.html: Added.
  • fast/js/dfg-uint32array-overflow-values-expected.txt: Added.
  • fast/js/dfg-uint32array-overflow-values.html: Added.
  • fast/js/script-tests/dfg-int32array-overflow-values.js: Added.

(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):

  • fast/js/script-tests/dfg-uint32array-overflow-values.js: Added.

(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/assembler/MacroAssemblerARMv7.h

    r102389 r103636  
    937937    }
    938938
     939    Jump branchTruncateDoubleToUint32(FPRegisterID src, RegisterID dest, BranchTruncateType branchType = BranchIfTruncateFailed)
     940    {
     941        m_assembler.vcvt_floatingPointToSigned(fpTempRegisterAsSingle(), src);
     942        m_assembler.vmov(dest, fpTempRegisterAsSingle());
     943
     944        return branch32(branchType ? GreaterThanOrEqual : LessThan, dest, TrustedImm32(0));
     945    }
     946
    939947    // Result is undefined if the value is outside of the integer range.
    940948    void truncateDoubleToInt32(FPRegisterID src, RegisterID dest)
Note: See TracChangeset for help on using the changeset viewer.