Naïve ToInteger implementation can lead to repeated bailouts in Math.ceil

NEW
Unassigned

Status

()

P3
normal
a year ago
a year ago

People

(Reporter: anba, Unassigned)

Tracking

({triage-deferred})

Trunk
triage-deferred
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
Test case:
---
function Number_isInteger(number) {
    // Step 1.
    if (typeof number !== "number")
        return false;

    // Step 3.
    var integer = number >= 0 ? Math.floor(number) : Math.ceil(number);

    // Steps 2, 4.
    if (integer - number !== 0)
        return false;

    // Step 5.
    return true;
}
Number.isInteger = Number_isInteger;

// Values are non-int32 and INT32_MIN.
var values = [4.2, -(2**31)];

var t = Date.now();
for (var i = 0; i < 10000000; ++i) {
    Number.isInteger(values[i % values.length]);
}
print(Date.now() - t);
---


The test case leads to repeated bailouts, IONFLAGS=bailouts shows "[IonBailouts]  bailing from bytecode: call, MIR: ceil [14], LIR: ceil [13]".
Probably because of the bailoutCvttsd2si in CodeGeneratorX86Shared::visitCeil. We bail because we get INT32_MIN which happens to be the value the CPU throws at us for "not an integer valued double" :(
Keywords: triage-deferred
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.