Closed Bug 646938 Opened 9 years ago Closed 9 years ago

JM: x === x fails when x is -NaN

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: jandem, Assigned: jandem)

References

Details

(Keywords: regression, reproducible, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

--
function f() {
    var x = -[NaN][0];
    print(x === x);
}
f();
--
With -m -a this prints |true| instead of |false|. 

I think jsop_neg flips the first bit and this fails the check in jsop_stricteq.
Attached patch Patch (obsolete) — Splinter Review
This patch fixes the NaN-check in stricteq to ignore the sign bit. The alternative is to add a NaN-check to jsop_neg but that seems more expensive than this patch.
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Attachment #523710 - Flags: review?(dvander)
IIRC neg is very rare, eq is quite common. Not sure about stricteq vs. neg but I would not be surprised if stricteq was more frequent, statically and dynamically. dmandelin, any data?

/be
(In reply to comment #2)
> IIRC neg is very rare, eq is quite common. Not sure about stricteq vs. neg but
> I would not be surprised if stricteq was more frequent, statically and
> dynamically.

This is about the stricteq case where lhs and rhs have the same backing (same local or copy of same local). Thinking about this more, I should probably fix jsop_neg first and benchmark.
Attachment #523710 - Flags: review?(dvander)
Comment on attachment 523710 [details] [diff] [review]
Patch

OK this is interesting. GCC implements -(double) like JM does (xor with sign mask). This means that fixing jsop_neg is not enough as we can still get a -NaN from the interpreter.
Attachment #523710 - Flags: review?(dvander)
(In reply to comment #2)
> IIRC neg is very rare, eq is quite common. Not sure about stricteq vs. neg but
> I would not be surprised if stricteq was more frequent, statically and
> dynamically. dmandelin, any data?

In the V8 benchmarks, neg is rare, and eq/stricteq are common. In SunSpider (which we care less about than we used to), stricteq is rare; eq and neg are both fairly common, but eq runs 2x as many times as neg.
Comment on attachment 523710 [details] [diff] [review]
Patch

bonus points if you change that r11 to scratchRegister ;)
Attachment #523710 - Flags: review?(dvander) → review+
Attached patch PatchSplinter Review
scratchRegister was protected, this patch makes it public like stackPointerRegister.
Attachment #523710 - Attachment is obsolete: true
Attachment #527741 - Flags: review?(dvander)
Attachment #527741 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/de7b0f3323c1
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/de7b0f3323c1
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.