Bug 137827

Summary: Math.abs() returns negative
Product: WebKit Reporter: mail
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: ap, benjamin, commit-queue, darin, dpino, fpizlo, ggaren, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Mac (Intel)   
OS: OS X 10.9   
Attachments:
Description Flags
Patch
none
Patch for landing none

mail
Reported 2014-10-17 12:15:35 PDT
Calls to Math.abs() can return a negative in certain scenarios. Can be triggered pretty easily by calling it within requestAnimationFrame. Demo: http://jsbin.com/netev/edit?js,output
Attachments
Patch (1.63 KB, patch)
2015-05-01 13:38 PDT, Basile Clement 		no flags
DetailsFormatted DiffDiff
Patch for landing (2.28 KB, patch)
2015-05-01 14:34 PDT, Basile Clement 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2014-10-17 21:48:58 PDT
function test() { var abs = Math.abs(-0.75); if (abs < 0) { alert('Math.abs(-0.75) is negative?'); return; } requestAnimationFrame(test); } test();
Radar WebKit Bug Importer
Comment 2 2014-10-28 23:51:49 PDT
<rdar://problem/18807804>
Radar WebKit Bug Importer
Comment 3 2014-10-28 23:51:50 PDT
<rdar://problem/18807806>
Darin Adler
Comment 4 2014-12-03 09:22:59 PST
<rdar://problem/18694698>
Diego Pino
Comment 5 2014-12-09 08:34:12 PST
It seems this issue is happening when Matb.abs gets jitted, apparently when the DFG kicks in. function test(times) { for (var i = 0; i < times; i++) { result = Math.abs(-0.75); } print(times + " times: " + result); } test(1); test(10); test(100); test(1000); test(10000); test(100000); test(1000000); Prints out: 1 times: 0.75 10 times: 0.75 100 times: 0.75 1000 times: 0.75 10000 times: -0.75 100000 times: -0.75 1000000 times: -0.75 If disabling DFG compilation, the issue doesn't happen. Source/JavaScriptCore/runtime/Options.h v(bool, useDFGJIT, false) \ I also noticed this issue is only happening with floats, it works OK for integers (regardless DFGJIT is on or off). So everything points to be an issue in dfg/DFGSpeculativeJIT64.cpp, when emitting the jitted code for ArithAbs. My environment is Ubuntu 14.04 x86_64, WebKitGTK+.
Basile Clement
Comment 6 2015-05-01 13:38:20 PDT
Created attachment 252169 [details] Patch
Filip Pizlo
Comment 7 2015-05-01 13:45:24 PDT
Comment on attachment 252169 [details] Patch Ooops. Can you add a test?
Michael Saboff
Comment 8 2015-05-01 13:55:36 PDT
Comment on attachment 252169 [details] Patch r=me
Basile Clement
Comment 9 2015-05-01 14:34:19 PDT
Created attachment 252171 [details] Patch for landing
WebKit Commit Bot
Comment 10 2015-05-01 15:36:53 PDT
Comment on attachment 252171 [details] Patch for landing Clearing flags on attachment: 252171 Committed r183692: <http://trac.webkit.org/changeset/183692>
WebKit Commit Bot
Comment 11 2015-05-01 15:36:58 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.