[V8][asm.js] Fixes a bug in comma-expression validation.

Comma expressions need to special-handle function calls. When validating the rhs of a Comma, the validatior needs to ensure that it returns AsmType::Float() if the function being called is fround(). BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5528 Review-Url: https://chromiumcodereview.appspot.com/2426473007 Cr-Commit-Position: refs/heads/master@{#40408}

[V8][asm.js] Fixes a bug in comma-expression validation.
Comma expressions need to special-handle function calls. When validating the rhs of a Comma, the validatior needs to ensure that it returns AsmType::Float() if the function being called is fround(). BUG= https://bugs.chromium.org/p/v8/issues/detail?id=5528 Review-Url: https://chromiumcodereview.appspot.com/2426473007 Cr-Commit-Position: refs/heads/master@{#40408}
07ac9783 · jpp · Commit bot · d875e2cf · 07ac9783 · 07ac9783
Commit 07ac9783 authored Oct 18, 2016 by jpp Committed by Commit bot Oct 18, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 41 additions and 2 deletions

asm-typer.cc src/asmjs/asm-typer.cc +10 -2

b5528-comma.js test/mjsunit/asm/b5528-comma.js +31 -0

No files found.
--- a/src/asmjs/asm-typer.cc
+++ b/src/asmjs/asm-typer.cc
@@ -1642,7 +1642,15 @@ AsmType* AsmTyper::ValidateCommaExpression(BinaryOperation* comma) {
  auto* right = comma->right();
  AsmType* right_type = nullptr;
  if (auto* right_as_call = right->AsCall()) {
-    RECURSE(right_type = ValidateCall(AsmType::Void(), right_as_call));
+    RECURSE(right_type = ValidateFloatCoercion(right_as_call));
+    if (right_type != AsmType::Float()) {
+      // right_type == nullptr <-> right_as_call is not a call to fround.
+      DCHECK(right_type == nullptr);
+      RECURSE(right_type = ValidateCall(AsmType::Void(), right_as_call));
+      // Unnanotated function call to something that's not fround must be a call
+      // to a void function.
+      DCHECK_EQ(right_type, AsmType::Void());
+    }
  } else {
    RECURSE(right_type = ValidateExpression(right));
  }
@@ -1674,7 +1682,7 @@ AsmType* AsmTyper::ValidateNumericLiteral(Literal* literal) {
    if (!literal->value()->ToInt32(&value)) {
      FAIL(literal, "Integer literal is out of range.");
    }
-    // *VIOLATION* Not really a violation, but rather a different in the
+    // *VIOLATION* Not really a violation, but rather a difference in
    // validation. The spec handles -NumericLiteral in ValidateUnaryExpression,
    // but V8's AST represents the negative literals as Literals.
    return AsmType::Signed();

--- a/test/mjsunit/asm/b5528-comma.js
+++ b/test/mjsunit/asm/b5528-comma.js
+// Copyright 2016 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+function Module(stdlib, env, heap) {
+  "use asm";
+
+  var a = new stdlib.Int32Array(heap);
+  var b = new stdlib.Float32Array(heap);
+  var fround = stdlib.Math.fround;
+  var value = env.value|0;
+
+  function foo() {
+    var x = fround(0.0);
+    x = (a[0]=value|0,fround(b[0]));
+    return fround(x);
+  }
+
+  return { foo: foo };
+}
+
+var buffer = new ArrayBuffer(32);
+assertEquals(0.0, Module(this, {value: 0x00000000}, buffer).foo());
+assertEquals(-0.0, Module(this, {value: 0x80000000}, buffer).foo());
+assertEquals(5.0, Module(this, {value: 0x40a00000}, buffer).foo());
+assertEquals(-5.0, Module(this, {value: 0xc0a00000}, buffer).foo());
+assertEquals(129.375, Module(this, {value: 0x43016000}, buffer).foo());
+assertEquals(-129.375, Module(this, {value: 0xc3016000}, buffer).foo());
+assertEquals(Infinity, Module(this, {value: 0x7f800000}, buffer).foo());
+assertEquals(-Infinity, Module(this, {value: 0xff800000}, buffer).foo());
+assertEquals(NaN, Module(this, {value: 0x7fffffff}, buffer).foo());