Ignore:
Timestamp:
Dec 23, 2011, 1:05:46 PM (14 years ago)
Author:
[email protected]
Message:

DFG does double-to-int conversion incorrectly when storing into int typed arrays
https://bugs.webkit.org/show_bug.cgi?id=75164
<rdar://problem/10557547>

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

  • assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::branchTruncateDoubleToUint32):

  • assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::branchTruncateDoubleToUint32):
(JSC::MacroAssemblerX86Common::truncateDoubleToUint32):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

LayoutTests:

  • fast/js/dfg-int32array-overflow-values-expected.txt: Added.
  • fast/js/dfg-int32array-overflow-values.html: Added.
  • fast/js/dfg-uint32array-overflow-values-expected.txt: Added.
  • fast/js/dfg-uint32array-overflow-values.html: Added.
  • fast/js/script-tests/dfg-int32array-overflow-values.js: Added.

(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):

  • fast/js/script-tests/dfg-uint32array-overflow-values.js: Added.

(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

    r102389 r103636  
    787787    }
    788788
     789    Jump branchTruncateDoubleToUint32(FPRegisterID src, RegisterID dest, BranchTruncateType branchType = BranchIfTruncateFailed)
     790    {
     791        ASSERT(isSSE2Present());
     792        m_assembler.cvttsd2si_rr(src, dest);
     793        return branch32(branchType ? GreaterThanOrEqual : LessThan, dest, TrustedImm32(0));
     794    }
     795
    789796    void truncateDoubleToInt32(FPRegisterID src, RegisterID dest)
    790797    {
     
    798805        ASSERT(isSSE2Present());
    799806        m_assembler.cvttsd2siq_rr(src, dest);
    800     }
    801 #else
    802     void truncateDoubleToUint32(FPRegisterID src, RegisterID dest)
    803     {
    804         ASSERT(isSSE2Present());
    805         // FIXME: Generate correct code for a double to unsigned conversion.
    806         m_assembler.cvttsd2si_rr(src, dest);
    807807    }
    808808#endif
Note: See TracChangeset for help on using the changeset viewer.