[Builtins] Make it harder to store signalling NaNs in Torque/CSA

The bottlenecks to prevent storing signalling NaNs in backing stores were not perfect. This change makes it harder by ensuring that all the Torque-side "[]=" operator overloads for FixedDoubleArray stores have signalling NaNs silenced. Bug: chromium:944435 Change-Id: I295d9b34f4c896db30989bb9db1a2b452daa03ae Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1538517Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#60459}

[Builtins] Make it harder to store signalling NaNs in Torque/CSA
The bottlenecks to prevent storing signalling NaNs in backing stores were not perfect. This change makes it harder by ensuring that all the Torque-side "[]=" operator overloads for FixedDoubleArray stores have signalling NaNs silenced. Bug: chromium:944435 Change-Id: I295d9b34f4c896db30989bb9db1a2b452daa03ae Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/1538517Reviewed-by: Sigurd Schneider <sigurds@chromium.org> Commit-Queue: Michael Stanton <mvstanton@chromium.org> Cr-Commit-Position: refs/heads/master@{#60459}
539017b0 · Mike Stanton · Commit Bot · 2bd4bc6f · 539017b0 · 539017b0
Commit 539017b0 authored Mar 26, 2019 by Mike Stanton Committed by Commit Bot Mar 26, 2019
5 changed files
--- a/src/builtins/array-map.tq
+++ b/src/builtins/array-map.tq
@@ -127,7 +127,7 @@ namespace array_map {
        for (let i: Smi = 0; i < validLength; i++) {
          typeswitch (this.fixedArray.objects[i]) {
            case (n: Number): {
-              elements.floats[i] = Float64SilenceNaN(Convert<float64>(n));
+              elements.floats[i] = Convert<float64>(n);
            }
            case (h: HeapObject): {
              assert(h == Hole);

--- a/src/builtins/base.tq
+++ b/src/builtins/base.tq
@@ -1747,8 +1747,6 @@ operator '[]=' macro StoreFixedArrayDirect(a: FixedArray, i: Smi, v: Object) {
 extern operator '.instance_type' macro LoadMapInstanceType(Map): int32;
-extern macro Float64SilenceNaN(float64): float64;
 extern macro GetNumberDictionaryNumberOfElements(NumberDictionary): Smi;
 extern macro GetIteratorMethod(implicit context: Context)(HeapObject): Object
    labels IfIteratorUndefined;

--- a/src/code-stub-assembler.cc
+++ b/src/code-stub-assembler.cc
@@ -2831,7 +2831,9 @@ void CodeStubAssembler::StoreFixedDoubleArrayElement(
      ElementOffsetFromIndex(index_node, PACKED_DOUBLE_ELEMENTS, parameter_mode,
                             FixedArray::kHeaderSize - kHeapObjectTag);
  MachineRepresentation rep = MachineRepresentation::kFloat64;
-  StoreNoWriteBarrier(rep, object, offset, value);
+  // Make sure we do not store signalling NaNs into double arrays.
+  TNode<Float64T> value_silenced = Float64SilenceNaN(value);
+  StoreNoWriteBarrier(rep, object, offset, value_silenced);
 }
 void CodeStubAssembler::StoreFeedbackVectorSlot(Node* object,
@@ -2985,7 +2987,9 @@ void CodeStubAssembler::TryStoreArrayElement(ElementsKind kind,
  } else if (IsDoubleElementsKind(kind)) {
    GotoIfNotNumber(value, bailout);
  }
-  if (IsDoubleElementsKind(kind)) value = ChangeNumberToFloat64(value);
+  if (IsDoubleElementsKind(kind)) {
+    value = ChangeNumberToFloat64(value);
+  }
  StoreElement(elements, kind, index, value, mode);
 }
@@ -10345,9 +10349,8 @@ void CodeStubAssembler::StoreElement(Node* elements, ElementsKind kind,
    StoreNoWriteBarrier(rep, elements, offset, value);
    return;
  } else if (IsDoubleElementsKind(kind)) {
-    // Make sure we do not store signalling NaNs into double arrays.
+    TNode<Float64T> value_float64 = UncheckedCast<Float64T>(value);
-    TNode<Float64T> value_silenced = Float64SilenceNaN(value);
+    StoreFixedDoubleArrayElement(CAST(elements), index, value_float64, mode);
-    StoreFixedDoubleArrayElement(CAST(elements), index, value_silenced, mode);
  } else {
    WriteBarrierMode barrier_mode =
        IsSmiElementsKind(kind) ? SKIP_WRITE_BARRIER : UPDATE_WRITE_BARRIER;

--- a/test/mjsunit/regress/regress-crbug-944435.js
+++ b/test/mjsunit/regress/regress-crbug-944435.js
+// Copyright 2019 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+// Flags: --verify-heap --expose-gc
+function foo(  )  {
+  return [
+  0,
+  1,
+  2,
+  3,
+  4,
+  5,
+  6,
+  7,
+  8,
+  9,
+  10,
+  0x1000000,
+  0x40000000,
+  12,
+  60,
+  100,
+  1000 * 60 * 60 * 24].map(Math.asin);
+}
+let b = [];
+b.constructor = {};
+b.constructor[Symbol.species] = function() {};
+let a = [];
+for (let i = 0; i < 10; i++) {
+  a.push(foo());
+  gc();
+  gc();
+  gc();
+}
--- a/third_party/v8/builtins/array-sort.tq
+++ b/third_party/v8/builtins/array-sort.tq
@@ -264,8 +264,7 @@ namespace array {
    const object = UnsafeCast<JSObject>(sortState.receiver);
    const elements = UnsafeCast<FixedDoubleArray>(object.elements);
    const heapVal = UnsafeCast<HeapNumber>(value);
-    // Make sure we do not store signalling NaNs into double arrays.
+    const val = Convert<float64>(heapVal);
-    const val = Float64SilenceNaN(Convert<float64>(heapVal));
    StoreFixedDoubleArrayElementSmi(elements, index, val);
    return kSuccess;
  }