[array] Fix Array#map storing signaling NaNs

Bug: chromium:930948 Change-Id: I7567fec06ec4bad11e8b8336ac13fdfc225b632c Reviewed-on: https://chromium-review.googlesource.com/c/1466503 Reviewed-by: Michael Stanton <mvstanton@chromium.org> Reviewed-by: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Mathias Bynens <mathias@chromium.org> Commit-Queue: Sigurd Schneider <sigurds@chromium.org> Cr-Commit-Position: refs/heads/master@{#59547}
2019-02-12 15:48:55 +01:00 · 2019-02-12 15:48:55 +01:00 · 82faa6d315
commit 82faa6d315
parent e7063b3d6b
5 changed files with 40 additions and 4 deletions
--- a/src/builtins/array-map.tq
+++ b/src/builtins/array-map.tq
@ -142,7 +142,7 @@ namespace array_map {
        for (let i: Smi = 0; i < validLength; i++) {
          typeswitch (this.fixedArray[i]) {
            case (n: Number): {
-              elements[i] = Convert<float64>(n);
+              elements[i] = Float64SilenceNaN(Convert<float64>(n));
            }
            case (h: HeapObject): {
              assert(h == Hole);
--- a/src/compiler/effect-control-linearizer.cc
+++ b/src/compiler/effect-control-linearizer.cc
@ -4598,7 +4598,7 @@ void EffectControlLinearizer::LowerTransitionAndStoreElement(Node* node) {
      Node* float_value =
          __ LoadField(AccessBuilder::ForHeapNumberValue(), value);
      __ StoreElement(AccessBuilder::ForFixedDoubleArrayElement(), elements,
-                      index, float_value);
+                      index, __ Float64SilenceNaN(float_value));
      __ Goto(&done);
    }
  }
@ -4664,7 +4664,7 @@ void EffectControlLinearizer::LowerTransitionAndStoreNumberElement(Node* node) {

  Node* elements = __ LoadField(AccessBuilder::ForJSObjectElements(), array);
  __ StoreElement(AccessBuilder::ForFixedDoubleArrayElement(), elements, index,
-                  value);
+                  __ Float64SilenceNaN(value));
 }

 void EffectControlLinearizer::LowerTransitionAndStoreNonNumberElement(
--- a/src/compiler/graph-assembler.h
+++ b/src/compiler/graph-assembler.h
@ -39,7 +39,8 @@ namespace compiler {
  V(BitcastFloat64ToInt64)               \
  V(Float64Abs)                          \
  V(Word32ReverseBytes)                  \
-  V(Word64ReverseBytes)
+  V(Word64ReverseBytes)                  \
+  V(Float64SilenceNaN)

 #define PURE_ASSEMBLER_MACH_BINOP_LIST(V) \
  V(WordShl)                              \
--- a/test/mjsunit/regress/regress-crbug-930948-base.js
+++ b/test/mjsunit/regress/regress-crbug-930948-base.js
@ -0,0 +1,10 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --verify-heap --allow-natives-syntax
+
+function foo() {
+  return [undefined].map(Math.asin);
+}
+foo();
--- a/test/mjsunit/regress/regress-crbug-930948.js
+++ b/test/mjsunit/regress/regress-crbug-930948.js
@ -0,0 +1,25 @@
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --verify-heap --allow-natives-syntax
+
+// This checks that TransitionAndStoreNumberElement silences NaNs.
+function foo() {
+  return [undefined].map(Math.asin);
+}
+foo();
+foo();
+%OptimizeFunctionOnNextCall(foo);
+foo();
+
+// This checks that TransitionAndStoreElement silences NaNs.
+function bar(b) {
+  return [undefined].map(x => b ? Math.asin(x) : "string");
+}
+bar(true);
+bar(false);
+bar(true);
+bar(false);
+%OptimizeFunctionOnNextCall(bar);
+bar(true);