Bug 150313

Summary: DoubleRep fails to convert SpecBoolean values
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, fpizlo, ggaren, keith_miller, msaboff, saam
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch.
ggaren: review+
32-bit benchmark result 1
none
32-bit benchmark result 2
none
64-bit benchmark result 1
none
64-bit benchmark result 2 none

Mark Lam
Reported 2015-10-18 23:10:15 PDT
This was uncovered by the op_sub stress test on 32-bit builds. On 32-bit builds, DoubleRep will erroneously convert 'true' to a 'NaN' instead of a double 1. On 64-bit, the same issue exists but is masked by another bug in DoubleRep where boolean values will always erroneously trigger a BadType OSR exit.
Attachments
the patch. (11.49 KB, patch)
2015-10-18 23:42 PDT, Mark Lam 		ggaren: review+
DetailsFormatted DiffDiff
32-bit benchmark result 1 (63.37 KB, text/plain)
2015-10-18 23:53 PDT, Mark Lam 		no flags
Details
32-bit benchmark result 2 (63.49 KB, text/plain)
2015-10-18 23:54 PDT, Mark Lam 		no flags
Details
64-bit benchmark result 1 (64.04 KB, text/plain)
2015-10-18 23:54 PDT, Mark Lam 		no flags
Details
64-bit benchmark result 2 (64.32 KB, text/plain)
2015-10-18 23:54 PDT, Mark Lam 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2015-10-18 23:42:22 PDT
Created attachment 263446 [details] the patch.
Mark Lam
Comment 2 2015-10-18 23:53:43 PDT
Created attachment 263447 [details] 32-bit benchmark result 1
Mark Lam
Comment 3 2015-10-18 23:54:01 PDT
Created attachment 263448 [details] 32-bit benchmark result 2
Mark Lam
Comment 4 2015-10-18 23:54:24 PDT
Created attachment 263449 [details] 64-bit benchmark result 1
Mark Lam
Comment 5 2015-10-18 23:54:58 PDT
Created attachment 263450 [details] 64-bit benchmark result 2
Mark Lam
Comment 6 2015-10-18 23:58:11 PDT
Benchmark results show no significance difference in perf. The components that show up as definitely faster / slower in one run does not manifest on the second run with the same builds. Similarly, when run individually, the test components also do not show any significant difference in perf.
Geoffrey Garen
Comment 7 2015-10-19 09:09:16 PDT
Comment on attachment 263446 [details] the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=263446&action=review > Source/JavaScriptCore/ChangeLog:18 > + implemented incorrectly. It was checking if any bits other than bit 0 was set. was=>were > Source/JavaScriptCore/ChangeLog:19 > + However, boolean JS values always has TagBitBool (the 3rd bit) set. Hence, the has=>have
Mark Lam
Comment 8 2015-10-19 09:15:28 PDT
Thanks. Landed in r191290: <http://trac.webkit.org/r191290>.
Note You need to log in before you can comment on or make changes to this bug.