RESOLVED FIXED 160329
ARM64: Fused left shift with a right shift can create NaNs from integers 
https://bugs.webkit.org/show_bug.cgi?id=160329
Summary ARM64: Fused left shift with a right shift can create NaNs from integers
Michael Saboff
Reported 2016-07-28 17:03:06 PDT
The function function signExtendByte(x) { return x << 24 >> 24; } Generates the wrong instructions when compiled with the FTL JIT. The shift left / shift right combination becomes a sign extend, which is fine except it sign extends to a 64 bit value and not a 32 bit value. Here is the code that the FTL generates for “x << 24 >> 24” (with my comments): 0x10695fdd8: ldur x0, [fp, #48] ; Load x_0 0x10695fddc: mov x1, #0xffff000000000000.; materialize tag 0x10695fde0: cmp x0, x1 ; Check for int 0x10695fde4: b.lo 0x10695feac 0x10695fde8: sxtb x0, w0 ; sign extend byte to 64 bits (oops should be 32 bits) 0x10695fdec: add x0, x0, x1 ; Add in tag The sxtb x0, w0 should be a sxtb w0, w0.
Attachments
Patch (3.11 KB, patch)
2016-07-28 17:23 PDT, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2016-07-28 17:03:40 PDT
<rdar://problem/27299339>
Michael Saboff
Comment 2 2016-07-28 17:23:56 PDT
Created attachment 284842 [details] Patch
Geoffrey Garen
Comment 3 2016-07-28 17:28:23 PDT
Comment on attachment 284842 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=284842&action=review r=me > Source/JavaScriptCore/ChangeLog:10 > + generate a sign extend byte instructions. On ARM64, we were sign extending instruction > Source/JavaScriptCore/ChangeLog:11 > + to a 64 bit quantity, when we really wanted to signn extend to a 32 bit quantity. sign
Michael Saboff
Comment 4 2016-07-28 17:31:45 PDT
Committed r203851: <http://trac.webkit.org/changeset/203851>
Note You need to log in before you can comment on or make changes to this bug.