Bug 232679 - We need to PreferNumber when calling toPrimitive for negate
Summary: We need to PreferNumber when calling toPrimitive for negate
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2021-11-03 12:58 PDT by Lukas Bernhard
Modified: 2021-11-08 09:06 PST (History)
9 users (show)

See Also:

Attachments
Patch (3.75 KB, patch)
2021-11-04 11:56 PDT, Saam Barati 		ashvayka: review+
Details | Formatted Diff | Diff
patch for landing (3.69 KB, patch)
2021-11-04 12:01 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lukas Bernhard 2021-11-03 12:58:26 PDT 
During differential testing of webkit I found a sample triggering a miscomputation in FTL related to using Date in a negative integer context.

The sample is invoked as:
WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js


function main() {
    let v1 = 0;
    while (v1++ < 9) { } 
        
    let v19 = 0;
    let v45;
    do {
        function v22() {
            "a".charCodeAt(undefined);
            const v44 = new Date(123);
            v45 = -v44;
            for (let v49 = -4096; v49 < 100; v49++) { } 
        }   
        v22();
    } while (v19++ < 7); 
    print(v45); // -123 without FTL, NaN with FTL (also -123 in spidermonkey)
}
main();
Comment 1 Saam Barati 2021-11-04 11:56:27 PDT 
Created attachment 443329 [details]
Patch
Comment 2 Alexey Shvayka 2021-11-04 11:58:41 PDT 
Comment on attachment 443329 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=443329&action=review

> JSTests/ChangeLog:8
> +        * stress/negate-prfer-number-to-primitive.js: Added.

(nit) filename typo: "prefer"
Comment 3 Saam Barati 2021-11-04 12:01:31 PDT 
Created attachment 443330 [details]
patch for landing
Comment 4 EWS 2021-11-08 09:05:42 PST 
Committed r285406 (243963@main): <https://commits.webkit.org/243963@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 443330 [details].
Comment 5 Radar WebKit Bug Importer 2021-11-08 09:06:23 PST 
<rdar://problem/85157764>