Patch forthcoming
Created attachment 188489 [details] the patch
Comment on attachment 188489 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=188489&action=review > Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1300 > + forNode(m_graph.m_varArgChildren[node->firstChild() + operandIndex]).filter(SpecRealNumber); Why not SpecDouble? What would happen if somebody filled their arrays with NaNs?
(In reply to comment #2) > (From update of attachment 188489 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=188489&action=review > > > Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1300 > > + forNode(m_graph.m_varArgChildren[node->firstChild() + operandIndex]).filter(SpecRealNumber); > > Why not SpecDouble? What would happen if somebody filled their arrays with NaNs? NaNs can't be stored into double arrays. If you do it, they turn into contiguous arrays (of generic JSValues). The backend will speculate that you're not storing NaN into a double array and spec fail if you do (so that the baseline JIT can do the double->contiguous conversion). Hence, filtering SpecRealNumber accurately represents the speculations that the backend will do.
Comment on attachment 188489 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=188489&action=review r=me >>> Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1300 >>> + forNode(m_graph.m_varArgChildren[node->firstChild() + operandIndex]).filter(SpecRealNumber); >> >> Why not SpecDouble? What would happen if somebody filled their arrays with NaNs? > > NaNs can't be stored into double arrays. If you do it, they turn into contiguous arrays (of generic JSValues). The backend will speculate that you're not storing NaN into a double array and spec fail if you do (so that the baseline JIT can do the double->contiguous conversion). > > Hence, filtering SpecRealNumber accurately represents the speculations that the backend will do. Sounds good.
Landed in http://trac.webkit.org/changeset/143024
Reopening to attach new patch.
oops. soryr