Changeset 240681 in webkit for trunk/Source/JavaScriptCore/bytecode/ValueRecovery.cpp

Timestamp:

Jan 29, 2019, 2:04:47 PM (6 years ago)

Author:

[email protected]

Message:

ValueRecovery::recover() should purify NaN values it recovers.
​https://bugs.webkit.org/show_bug.cgi?id=193978
<rdar://problem/47625488>

Reviewed by Saam Barati.

JSTests:

• stress/value-recovery-of-double-displaced-in-jsstack-should-be-purified.js: Added.

Source/JavaScriptCore:

According to DFG::OSRExit::executeOSRExit() and DFG::OSRExit::compileExit(),
recovered DoubleDisplacedInJSStack values need to be purified.
ValueRecovery::recover() should do the same.

• bytecode/ValueRecovery.cpp:

(JSC::ValueRecovery::recover const):

File:

• trunk/Source/JavaScriptCore/bytecode/ValueRecovery.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/bytecode/ValueRecovery.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2013, 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2019 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -44 +44 @@
         return jsNumber(exec->r(virtualRegister().offset()).unboxedStrictInt52());
     case DoubleDisplacedInJSStack:
-        return jsNumber(exec->r(virtualRegister().offset()).unboxedDouble());
+        return jsNumber(purifyNaN(exec->r(virtualRegister().offset()).unboxedDouble()));
     case CellDisplacedInJSStack:
         return exec->r(virtualRegister().offset()).unboxedCell();