| Summary: | Math.abs() returns negative | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | |||||||
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | ap, benjamin, commit-queue, darin, dpino, fpizlo, ggaren, webkit-bug-importer | ||||||
| Priority: | P2 | Keywords: | InRadar | ||||||
| Version: | 528+ (Nightly build) | ||||||||
| Hardware: | Mac (Intel) | ||||||||
| OS: | OS X 10.9 | ||||||||
| Attachments: |
|
||||||||
|
Description
mail
2014-10-17 12:15:35 PDT
function test() {
var abs = Math.abs(-0.75);
if (abs < 0) {
alert('Math.abs(-0.75) is negative?');
return;
}
requestAnimationFrame(test);
}
test();
It seems this issue is happening when Matb.abs gets jitted, apparently when the DFG kicks in.
function test(times) {
for (var i = 0; i < times; i++) {
result = Math.abs(-0.75);
}
print(times + " times: " + result);
}
test(1);
test(10);
test(100);
test(1000);
test(10000);
test(100000);
test(1000000);
Prints out:
1 times: 0.75
10 times: 0.75
100 times: 0.75
1000 times: 0.75
10000 times: -0.75
100000 times: -0.75
1000000 times: -0.75
If disabling DFG compilation, the issue doesn't happen.
Source/JavaScriptCore/runtime/Options.h
v(bool, useDFGJIT, false) \
I also noticed this issue is only happening with floats, it works OK for integers (regardless DFGJIT is on or off).
So everything points to be an issue in dfg/DFGSpeculativeJIT64.cpp, when emitting the jitted code for ArithAbs.
My environment is Ubuntu 14.04 x86_64, WebKitGTK+.
Created attachment 252169 [details]
Patch
Comment on attachment 252169 [details]
Patch
Ooops. Can you add a test?
Comment on attachment 252169 [details]
Patch
r=me
Created attachment 252171 [details]
Patch for landing
Comment on attachment 252171 [details] Patch for landing Clearing flags on attachment: 252171 Committed r183692: <http://trac.webkit.org/changeset/183692> All reviewed patches have been landed. Closing bug. |