Bug 906286 - Canonicalize NaN values stored to float arrays in JS_MORE_DETERMINISTIC builds. r=luke

2024-09-13 09:24:08 -07:00 · 2013-08-21 08:40:17 +02:00 · 2013-08-21 08:40:17 +02:00 · 89e2f52152
commit 89e2f52152
parent 21991b1148
2 changed files with 14 additions and 2 deletions
--- a/js/src/jit/IonMacroAssembler.h
+++ b/js/src/jit/IonMacroAssembler.h
@ -579,8 +579,12 @@ class MacroAssembler : public MacroAssemblerSpecific
        }
    }

-    template<typename S, typename T>
-    void storeToTypedFloatArray(int arrayType, const S &value, const T &dest) {
+    template<typename T>
+    void storeToTypedFloatArray(int arrayType, FloatRegister value, const T &dest) {
+#ifdef JS_MORE_DETERMINISTIC
+        // See the comment in ToDoubleForTypedArray.
+        canonicalizeDouble(value);
+#endif
        switch (arrayType) {
          case TypedArrayObject::TYPE_FLOAT32:
            convertDoubleToFloat(value, ScratchFloatReg);
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@ -1357,6 +1357,14 @@ js::ToDoubleForTypedArray(JSContext *cx, JS::HandleValue vp, double *d)
        *d = js_NaN;
    }

+#ifdef JS_MORE_DETERMINISTIC
+    // It's possible to have a NaN value with the sign bit set. The spec allows
+    // this but it can confuse differential testing when this value is stored
+    // to a float array and then read back as integer. To work around this, we
+    // always canonicalize NaN values in more-deterministic builds.
+    *d = JS_CANONICALIZE_NAN(*d);
+#endif
+
    return true;
 }