Bug 158368

Summary: Eager FTL failure for strict comparison of NaN with number check
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: JavaScriptCoreAssignee: Benjamin Poulain <benjamin>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
[TEST] JS Reduction
none
Patch none

Description Joseph Pecoraro 2016-06-03 16:12:00 PDT 
Created attachment 280480 [details]
[TEST] JS Reduction

* SUMMARY
Eager FTL failure for strict comparison of NaN with number check

* TEST
function isNaNOnDouble(value)
{
    return (+value) !== value;
}
noInline(isNaNOnDouble);

function testIsNaNOnDoubles()
{
    var value = isNaNOnDouble(-0);
    if (value)
        throw "isNaNOnDouble(-0) = " + value;

    var value = isNaNOnDouble(NaN);
    if (!value)
        throw "isNaNOnDouble(NaN) = " + value;

    var value = isNaNOnDouble(Number.POSITIVE_INFINITY);
    if (value)
        throw "isNaNOnDouble(Number.POSITIVE_INFINITY) = " + value;
}
noInline(testIsNaNOnDoubles);

for (var i = 0; i < 1e6; ++i) {
    testIsNaNOnDoubles();
}


* STEPS TO REPRODUCE
1. $ DYLD_FRAMEWORK_PATH=$build/Release $build/Release/jsc --useFTLJIT=true --useConcurrentJIT=false --thresholdForJITAfterWarmUp=100 --thresholdForJITAfterWarmUp=10 --thresholdForJITSoon=10 --thresholdForOptimizeAfterWarmUp=20 --thresholdForOptimizeAfterLongWarmUp=20 --thresholdForOptimizeSoon=20 --thresholdForFTLOptimizeAfterWarmUp=20 --thresholdForFTLOptimizeSoon=20 number-compare-strict.js

Exception: isNaNOnDouble(NaN) = false

* NOTES
- The issue only reproduces if --useConcurrentJIT=false
Comment 1 Benjamin Poulain 2016-06-03 17:44:08 PDT 
I'll take it. Scary stuff.
Comment 2 Radar WebKit Bug Importer 2016-06-03 17:45:26 PDT 
<rdar://problem/26634629>
Comment 3 Benjamin Poulain 2016-06-03 18:55:11 PDT 
Created attachment 280501 [details]
Patch
Comment 4 WebKit Commit Bot 2016-06-03 20:27:35 PDT 
Comment on attachment 280501 [details]
Patch

Clearing flags on attachment: 280501

Committed r201678: <http://trac.webkit.org/changeset/201678>
Comment 5 WebKit Commit Bot 2016-06-03 20:27:42 PDT 
All reviewed patches have been landed.  Closing bug.