RESOLVED FIXED 150313
DoubleRep fails to convert SpecBoolean values 
https://bugs.webkit.org/show_bug.cgi?id=150313
Summary DoubleRep fails to convert SpecBoolean values
Mark Lam
Reported 2015-10-18 23:10:15 PDT
This was uncovered by the op_sub stress test on 32-bit builds. On 32-bit builds, DoubleRep will erroneously convert 'true' to a 'NaN' instead of a double 1. On 64-bit, the same issue exists but is masked by another bug in DoubleRep where boolean values will always erroneously trigger a BadType OSR exit.
Attachments
the patch. (11.49 KB, patch)
2015-10-18 23:42 PDT, Mark Lam 		ggaren: review+
DetailsFormatted DiffDiff
32-bit benchmark result 1 (63.37 KB, text/plain)
2015-10-18 23:53 PDT, Mark Lam 		no flags
Details
32-bit benchmark result 2 (63.49 KB, text/plain)
2015-10-18 23:54 PDT, Mark Lam 		no flags
Details
64-bit benchmark result 1 (64.04 KB, text/plain)
2015-10-18 23:54 PDT, Mark Lam 		no flags
Details
64-bit benchmark result 2 (64.32 KB, text/plain)
2015-10-18 23:54 PDT, Mark Lam 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2015-10-18 23:42:22 PDT
Created attachment 263446 [details] the patch.
Mark Lam
Comment 2 2015-10-18 23:53:43 PDT
Created attachment 263447 [details] 32-bit benchmark result 1
Mark Lam
Comment 3 2015-10-18 23:54:01 PDT
Created attachment 263448 [details] 32-bit benchmark result 2
Mark Lam
Comment 4 2015-10-18 23:54:24 PDT
Created attachment 263449 [details] 64-bit benchmark result 1
Mark Lam
Comment 5 2015-10-18 23:54:58 PDT
Created attachment 263450 [details] 64-bit benchmark result 2
Mark Lam
Comment 6 2015-10-18 23:58:11 PDT
Benchmark results show no significance difference in perf. The components that show up as definitely faster / slower in one run does not manifest on the second run with the same builds. Similarly, when run individually, the test components also do not show any significant difference in perf.
Geoffrey Garen
Comment 7 2015-10-19 09:09:16 PDT
Comment on attachment 263446 [details] the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=263446&action=review > Source/JavaScriptCore/ChangeLog:18 > + implemented incorrectly. It was checking if any bits other than bit 0 was set. was=>were > Source/JavaScriptCore/ChangeLog:19 > + However, boolean JS values always has TagBitBool (the 3rd bit) set. Hence, the has=>have
Mark Lam
Comment 8 2015-10-19 09:15:28 PDT
Thanks. Landed in r191290: <http://trac.webkit.org/r191290>.
Note You need to log in before you can comment on or make changes to this bug.