[JSC] Constant folding of UInt32ToNumber is incorrect
https://bugs.webkit.org/show_bug.cgi?id=157011
rdar://problem/25769641
Patch by Benjamin Poulain <bpoulain@apple.com> on 2016-04-25
Reviewed by Geoffrey Garen.
UInt32ToNumber should return the unsigned 32bit value of
its child. The abstract interpreter fails to do that when handling
Int52.
None of the tests caught that because the bytecode generator already
fold the operation if given a constant. If the constant is not visible
from the bytecode generator (for example because it comes from an inlined call),
then the abstract interpreter folding was producing invalid results.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* tests/stress/uint32-to-number-constant-folding.js: Added.
(uint32ToNumberMinusOne):
(uint32ToNumberMinusOnePlusInteger):
(inlineMinusOne):
(uint32ToNumberOnHiddenMinusOne):
(uint32ToNumberOnHiddenMinusOnePlusInteger):
(inlineLargeNegativeNumber1):
(inlineLargeNegativeNumber2):
(inlineLargeNegativeNumber3):
(uint32ToNumberOnHiddenLargeNegativeNumber1):
(uint32ToNumberOnHiddenLargeNegativeNumber2):
(uint32ToNumberOnHiddenLargeNegativeNumber3):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@200071 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index 7abe5b8..2982c47 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -302,7 +302,8 @@
if (doesOverflow(node->arithMode())) {
if (enableInt52()) {
if (child && child.isAnyInt()) {
- setConstant(node, jsNumber(child.asAnyInt()));
+ int64_t machineInt = child.asAnyInt();
+ setConstant(node, jsNumber(static_cast<uint32_t>(machineInt)));
break;
}
forNode(node).setType(SpecAnyInt);
