Bail out when either operand is not number for float type specialization

nhat-nguyen · nhat-nguyen · commit 3c0a6a152087 · 2018-10-03T14:00:40.000-07:00
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -10643,6 +10643,18 @@ GlobOpt::TypeSpecializeFloatBinary(IR::Instr *instr, Value *src1Val, Value *src2
         case Js::OpCode::CmSrEq_A:
         case Js::OpCode::CmNeq_A:
         case Js::OpCode::CmSrNeq_A:
+        {
+            if (src1Val->GetValueInfo()->IsNotNumber() || src2Val->GetValueInfo()->IsNotNumber())
+            {
+                return false;
+            }
+
+            allowUndefinedOrNullSrc1 = false;
+            allowUndefinedOrNullSrc2 = false;
+            convertDstToBool = true;
+            break;
+        }
+
         case Js::OpCode::CmLe_A:
         case Js::OpCode::CmLt_A:
         case Js::OpCode::CmGe_A:
diff --git a/test/Basics/FloatComparison.js b/test/Basics/FloatComparison.js
@@ -80,7 +80,76 @@ var tests = [
             }
             test0();
         }
-    }
+    },
+    {
+        name: "Bail out on not number, #1",
+        body: function() {
+            var f32 = new Float32Array(256);
+            assert.isTrue(f32[1] !== (typeof 1 != 'number'));
+        }
+    },
+    {
+        name: "Bail out on not number, #2",
+        body: function() {
+            var obj0 = {};
+            var obj1 = {};
+            var func3 = function () {
+              ary = [];
+              test = function (list1, list2) {
+                return list1.splice.apply(list1, [
+                  a,
+                  0
+                ].concat(list2));
+              };
+              test(ary, c === a);
+            };
+            var func4 = function () {
+              return func3();
+            };
+            obj1.method1 = func4;
+            var c = -0;
+            a = obj0 === 1;
+            var __loopvar2 = 0;
+            do {
+              if (__loopvar2 > 7) {
+                break;
+              }
+              __loopvar2 += 2;
+              obj1.method1();
+            } while (obj0);
+            
+            assert.areEqual(ary, [false]);
+        }
+    },
+    {
+        name: "Bail out on not number, #3",
+        body: function() {
+            function test0() {
+                var GiantPrintArray = [];
+                var obj1 = {};
+                var f64 = new Float64Array(1);
+                function _callback1tmp() {
+                  return function () {
+                    function v0(arg0, arg1, arg2) {
+                      this.v3 = arg2;
+                    }
+                    function v4() {
+                      var v5 = new v0(test0, test0, obj1 <= 1 !== f64[obj1.prop0 & 1]);
+                      GiantPrintArray.push(v5.v3);
+                    }
+                    v4();
+                    v4();
+                    v4();
+                  };
+                }
+                _callback1tmp()();
+                return GiantPrintArray;
+            }
+            assert.areEqual(test0(), [true, true, true]);
+            assert.areEqual(test0(), [true, true, true]);
+            assert.areEqual(test0(), [true, true, true]);
+        }
+    },
 ];
 
 testRunner.runTests(tests, { verbose: WScript.Arguments[0] != "summary" });
