Bug 228068

Summary: Compiler Incorrect Optimization
Product: WebKit Reporter: zhiyi <vulbugs>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, saam, tzagallo, vulbugs, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
ysuzuki: review+
patch for landing. none

Description zhiyi 2021-07-18 19:59:14 PDT 
OS: ubuntu18.04
Architecture: <x64>

./jsc bug.js

expected output
-Infinity
-Infinity

actual output
-Infinity
Infinity


bug.js
##################################
function f() {
  v0 = (-0.0).toLocaleString();
  return parseInt(v0);
}
let a0 = f();
print(1 / a0);

for (let i = 0; i < 0x1000; i++) { f(); }
let a3 = f();
print(1 / a3);
Comment 1 Radar WebKit Bug Importer 2021-07-19 09:44:59 PDT 
<rdar://problem/80788603>
Comment 2 Mark Lam 2021-07-19 15:31:39 PDT 
Created attachment 433828 [details]
proposed patch.
Comment 3 Yusuke Suzuki 2021-07-19 15:35:10 PDT 
Comment on attachment 433828 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=433828&action=review

> Source/JavaScriptCore/dfg/DFGOperations.cpp:206
> +    if (static_cast<double>(asInt) == input) {
> +        if (asInt || !std::signbit(input))

I think it is worth putting `LIKELY`.

if (LIKELY(static_cast<double>(asInt) == input && (asInt || !std::signbit(input))))
    return JSValue::encode(jsNumber(asInt));
Comment 4 Mark Lam 2021-07-19 15:36:22 PDT 
(In reply to Yusuke Suzuki from comment #3)
> Comment on attachment 433828 [details]
> proposed patch.
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=433828&action=review
> 
> > Source/JavaScriptCore/dfg/DFGOperations.cpp:206
> > +    if (static_cast<double>(asInt) == input) {
> > +        if (asInt || !std::signbit(input))
> 
> I think it is worth putting `LIKELY`.
> 
> if (LIKELY(static_cast<double>(asInt) == input && (asInt ||
> !std::signbit(input))))
>     return JSValue::encode(jsNumber(asInt));

OK, will do.
Comment 5 Mark Lam 2021-07-19 15:44:25 PDT 
Created attachment 433830 [details]
patch for landing.
Comment 6 Mark Lam 2021-07-19 17:49:45 PDT 
Thanks for the review.  Landed in r280060: <http://trac.webkit.org/r280060>.