Changeset 215482 in webkit for trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

Timestamp:

Apr 18, 2017, 3:34:14 PM (8 years ago)

Author:

[email protected]

Message:

r211670 broke double to int conversion.
​https://bugs.webkit.org/show_bug.cgi?id=170961
<rdar://problem/31687696>

Reviewed by Yusuke Suzuki.

JSTests:

• microbenchmarks/double-to-int32.js: Added.
• stress/to-int32-sensible2.js: Added.

Source/JavaScriptCore:

This is because operationToInt32SensibleSlow() assumes that left shifts of greater
than 31 bits on an 31-bit value will produce a 0. However, the spec says that
"if the value of the right operand is negative or is greater or equal to the
number of bits in the promoted left operand, the behavior is undefined."
See ​http://en.cppreference.com/w/cpp/language/operator_arithmetic#Bitwise_shift_operators.

This patch fixes this by restoring the check to prevent a shift of greater than
31 bits. It also consolidates the optimization in operationToInt32SensibleSlow()
back into toInt32() so that we don't have 2 copies of the same code with only a
slight variation.

JSC benchmarks shows that performance is neutral with this patch.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileValueToInt32):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::sensibleDoubleToInt32):

• runtime/MathCommon.cpp:

(JSC::operationToInt32SensibleSlow): Deleted.

• runtime/MathCommon.h:

(JSC::toInt32):

File:

• trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -11810 +11810 @@
         LBasicBlock lastNext = m_out.appendTo(slowPath, continuation);
         ValueFromBlock slowResult = m_out.anchor(
-            m_out.call(Int32, m_out.operation(operationToInt32SensibleSlow), doubleValue));
+            m_out.call(Int32, m_out.operation(operationToInt32), doubleValue));
         m_out.jump(continuation);