Commit b6133551 authored by Mythri A's avatar Mythri A Committed by Commit Bot

[ic] Fix a bug in StoreOwnIC when storing NaN values

We use StoreOwnIC to initialize the object after creating a new object
with CreateObjectLiteral. CreateObjectLiteral stores kHoleNaNInt64
to indicate an uninitialized double field. When we actually try
to store a NaN value into that field later using StoreOwnIC, IC avoids
actually storing the new value since the existing value is "same as"
the value we try to write. The float comparison treats all NaNs as
equal. In this particular case, we should actually store the new value
since kHoleNaNInt64 value is used to represent an uninitialized field.

This cl just stores the new value even when the existing value is same
as the new value for double fields. The check is still required to
correctly track const fields.

Bug: chromium:1082293
Change-Id: Ib37061802f2403545cffa6d6fef08be074b0825d
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2228886Reviewed-by: 's avatarIgor Sheludko <ishell@chromium.org>
Commit-Queue: Mythri Alle <mythria@chromium.org>
Cr-Commit-Position: refs/heads/master@{#68167}
parent 8e4b758e
...@@ -1334,12 +1334,13 @@ void AccessorAssembler::OverwriteExistingFastDataProperty( ...@@ -1334,12 +1334,13 @@ void AccessorAssembler::OverwriteExistingFastDataProperty(
if (do_transitioning_store) { if (do_transitioning_store) {
StoreMap(object, object_map); StoreMap(object, object_map);
} else { } else {
Label if_mutable(this); Label store_value(this);
GotoIfNot(IsPropertyDetailsConst(details), &if_mutable); GotoIfNot(IsPropertyDetailsConst(details), &store_value);
TNode<Float64T> current_value = TNode<Float64T> current_value =
LoadObjectField<Float64T>(object, field_offset); LoadObjectField<Float64T>(object, field_offset);
BranchIfSameNumberValue(current_value, double_value, &done, slow); BranchIfSameNumberValue(current_value, double_value, &store_value,
BIND(&if_mutable); slow);
BIND(&store_value);
} }
StoreObjectFieldNoWriteBarrier(object, field_offset, double_value); StoreObjectFieldNoWriteBarrier(object, field_offset, double_value);
} else { } else {
...@@ -1351,11 +1352,12 @@ void AccessorAssembler::OverwriteExistingFastDataProperty( ...@@ -1351,11 +1352,12 @@ void AccessorAssembler::OverwriteExistingFastDataProperty(
} else { } else {
TNode<HeapNumber> heap_number = TNode<HeapNumber> heap_number =
CAST(LoadObjectField(object, field_offset)); CAST(LoadObjectField(object, field_offset));
Label if_mutable(this); Label store_value(this);
GotoIfNot(IsPropertyDetailsConst(details), &if_mutable); GotoIfNot(IsPropertyDetailsConst(details), &store_value);
TNode<Float64T> current_value = LoadHeapNumberValue(heap_number); TNode<Float64T> current_value = LoadHeapNumberValue(heap_number);
BranchIfSameNumberValue(current_value, double_value, &done, slow); BranchIfSameNumberValue(current_value, double_value, &store_value,
BIND(&if_mutable); slow);
BIND(&store_value);
StoreHeapNumberValue(heap_number, double_value); StoreHeapNumberValue(heap_number, double_value);
} }
} }
......
// Copyright 2020 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax
function f() {
let buffer = new ArrayBuffer(8);
let a32 = new Float32Array(buffer);
let a8 = new Uint32Array(buffer);
let a = { value: NaN };
Object.defineProperty(a32, 0, { value: NaN });
return a8[0];
}
let value = f();
%EnsureFeedbackVectorForFunction(f);
assertEquals(value, f());
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment