Bug 232679

Summary: We need to PreferNumber when calling toPrimitive for negate
Product: WebKit Reporter: Lukas Bernhard <lukas.bernhard>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: ashvayka, ews-watchlist, keith_miller, lukas.bernhard, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
Patch
ashvayka: review+
patch for landing none

Lukas Bernhard
Reported 2021-11-03 12:58:26 PDT
During differential testing of webkit I found a sample triggering a miscomputation in FTL related to using Date in a negative integer context. The sample is invoked as: WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js function main() { let v1 = 0; while (v1++ < 9) { } let v19 = 0; let v45; do { function v22() { "a".charCodeAt(undefined); const v44 = new Date(123); v45 = -v44; for (let v49 = -4096; v49 < 100; v49++) { } } v22(); } while (v19++ < 7); print(v45); // -123 without FTL, NaN with FTL (also -123 in spidermonkey) } main();
Attachments
Patch (3.75 KB, patch)
2021-11-04 11:56 PDT, Saam Barati 		ashvayka: review+
DetailsFormatted DiffDiff
patch for landing (3.69 KB, patch)
2021-11-04 12:01 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2021-11-04 11:56:27 PDT
Created attachment 443329 [details] Patch
Alexey Shvayka
Comment 2 2021-11-04 11:58:41 PDT
Comment on attachment 443329 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=443329&action=review > JSTests/ChangeLog:8 > + * stress/negate-prfer-number-to-primitive.js: Added. (nit) filename typo: "prefer"
Saam Barati
Comment 3 2021-11-04 12:01:31 PDT
Created attachment 443330 [details] patch for landing
EWS
Comment 4 2021-11-08 09:05:42 PST
Committed r285406 (243963@main): <https://commits.webkit.org/243963@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 443330 [details].
Radar WebKit Bug Importer
Comment 5 2021-11-08 09:06:23 PST
<rdar://problem/85157764>
Note You need to log in before you can comment on or make changes to this bug.