RESOLVED FIXED 251117
DFG should not speculate Int32 for NaN constants 
https://bugs.webkit.org/show_bug.cgi?id=251117
Summary DFG should not speculate Int32 for NaN constants
David Degazio
Reported 2023-01-24 15:03:00 PST
rdar://104608391 Currently, DFG will attempt to speculate Int32 for certain double constants during the fixup phase. If a number constant is an Int32, or falls within a valid range (between ±2^48), it's allowed to be truncated into an integer. However, NaN values cannot be compared and ordered, so unlike other non-finite values like positive or negative Infinity, they can pass this range check and be converted into an Int32 despite clearly being non-integral values. We should add a check for NaN constants and reject Int32 speculation if we come across one during the fixup phase.
Attachments
Add attachment proposed patch, testcase, etc.
David Degazio
Comment 1 2023-01-24 15:14:44 PST
Pull request: https://github.com/WebKit/WebKit/pull/9077
EWS
Comment 2 2023-01-24 21:04:54 PST
Committed 259340@main (800a9bf27aa7): <https://commits.webkit.org/259340@main> Reviewed commits have been landed. Closing PR #9077 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.