Commit 536fb9cb authored by oliver@apple.com's avatar oliver@apple.com
Browse files

2011-01-18 Oliver Hunt <oliver@apple.com>

        Reviewed by Antti Koivisto.

        [jsfunfuzz] Assertion in codegen for array of NaN constants
        https://bugs.webkit.org/show_bug.cgi?id=52643

        Add a testcase to ensure we handle a large number of NaN literals
        in (0/0 is folded to NaN automatically during parsing).

        * fast/js/codegen-temporaries-expected.txt:
        * fast/js/script-tests/codegen-temporaries.js:
2011-01-18  Oliver Hunt  <oliver@apple.com>

        Reviewed by Antti Koivisto.

        [jsfunfuzz] Assertion in codegen for array of NaN constants
        https://bugs.webkit.org/show_bug.cgi?id=52643

        Don't cache NaN literals in the code generator, as NaN doesn't compare
        as equal to itself it causes problems when rehashing the number cache.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoad):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@76049 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 33ddd998
2011-01-18 Oliver Hunt <oliver@apple.com>
Reviewed by Antti Koivisto.
[jsfunfuzz] Assertion in codegen for array of NaN constants
https://bugs.webkit.org/show_bug.cgi?id=52643
Add a testcase to ensure we handle a large number of NaN literals
in (0/0 is folded to NaN automatically during parsing).
* fast/js/codegen-temporaries-expected.txt:
* fast/js/script-tests/codegen-temporaries.js:
2011-01-18 Krithigassree Sambamurthy <krithigassree.sambamurthy@nokia.com>
 
Reviewed by Simon Fraser.
......
......@@ -109,6 +109,7 @@ PASS switch_test1() is true
PASS switch_test2() is true
PASS switch_test3() is true
PASS construct_test() is true
PASS [(0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), ].length is 64
PASS successfullyParsed is true
TEST COMPLETE
......
......@@ -925,5 +925,10 @@ function construct_test()
}
shouldBeTrue("construct_test()");
var testStr = "[";
for (var i = 0; i < 64; i++)
testStr += "(0/0), ";
testStr += "].length";
shouldBe(testStr, "64");
var successfullyParsed = true;
2011-01-18 Oliver Hunt <oliver@apple.com>
Reviewed by Antti Koivisto.
[jsfunfuzz] Assertion in codegen for array of NaN constants
https://bugs.webkit.org/show_bug.cgi?id=52643
Don't cache NaN literals in the code generator, as NaN doesn't compare
as equal to itself it causes problems when rehashing the number cache.
* bytecompiler/BytecodeGenerator.cpp:
(JSC::BytecodeGenerator::emitLoad):
2011-01-17 Jarred Nicholls <jarred@sencha.com>
 
Reviewed by Csaba Osztrogonác.
......
......@@ -1082,8 +1082,9 @@ RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, bool b)
RegisterID* BytecodeGenerator::emitLoad(RegisterID* dst, double number)
{
// FIXME: Our hash tables won't hold infinity, so we make a new JSNumberCell each time.
// Later we can do the extra work to handle that like the other cases.
if (number == HashTraits<double>::emptyValue() || HashTraits<double>::isDeletedValue(number))
// Later we can do the extra work to handle that like the other cases. They also don't
// work correctly with NaN as a key.
if (isnan(number) || number == HashTraits<double>::emptyValue() || HashTraits<double>::isDeletedValue(number))
return emitLoad(dst, jsNumber(number));
JSValue& valueInMap = m_numberMap.add(number, JSValue()).first->second;
if (!valueInMap)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment