[MERGE #5613 @sigatrev] MSFT:18327064 OpHelpers returning ints as floats leading to infinite bailouts

sigatrev · sigatrev · commit 44a59f25c301 · 2018-08-20T15:36:20.000-07:00
Merge pull request #5613 from sigatrev:stringOpt The following operations on a number as a string all returned doubles even when the value was integral, causing bailouts on some array operations. ``` var i = "1"; +i // Op_ConvNumber_Full ++i; // Op_Increment_Full -i; // Op_Negate_Full --i; // Op_Decrement_Full 1 - i; // Op_Subract_Full 1 * i; // Op_Multiply_Ful 1 ** i // Op_Exponentiation_Full 1 % i // Op_Modulus_Full var ary = [0,1]; // will bail out infinitely ary[+i]; ``` This is already checked in on the OS side
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -10544,7 +10544,7 @@ using namespace Js;
             return aRight;
         }
 
-        return JavascriptNumber::ToVarNoCheck(JavascriptConversion::ToNumber_Full(aRight, scriptContext), scriptContext);
+        return JavascriptNumber::ToVarIntCheck(JavascriptConversion::ToNumber_Full(aRight, scriptContext), scriptContext);
         JIT_HELPER_END(Op_ConvNumber_Full);
     }
 
diff --git a/lib/Runtime/Library/JavascriptNumber.cpp b/lib/Runtime/Library/JavascriptNumber.cpp
@@ -36,9 +36,13 @@ namespace Js
 
     Var JavascriptNumber::ToVarInPlace(int64 value, ScriptContext* scriptContext, JavascriptNumber *result)
     {
-        return InPlaceNew((double)value, scriptContext, result);
-    }
+        if (!TaggedInt::IsOverflow(value))
+        {
+            return TaggedInt::ToVarUnchecked(static_cast<int>(value));
+        }
 
+        return InPlaceNew(static_cast<double>(value), scriptContext, result);
+    }
 
     Var JavascriptNumber::ToVarMaybeInPlace(double value, ScriptContext* scriptContext, JavascriptNumber *result)
     {
diff --git a/lib/Runtime/Math/JavascriptMath.cpp b/lib/Runtime/Math/JavascriptMath.cpp
@@ -14,7 +14,7 @@ using namespace Js;
             }
 
             double value = Negate_Helper(aRight, scriptContext);
-            return JavascriptNumber::ToVarNoCheck(value, scriptContext);
+            return JavascriptNumber::ToVarIntCheck(value, scriptContext);
             JIT_HELPER_END(Op_Negate_Full);
         }
         JIT_HELPER_TEMPLATE(Op_Negate_Full, Op_Negate)
@@ -77,7 +77,7 @@ using namespace Js;
             }
 
             double inc = Increment_Helper(aRight, scriptContext);
-            return JavascriptNumber::ToVarNoCheck(inc, scriptContext);
+            return JavascriptNumber::ToVarIntCheck(inc, scriptContext);
             JIT_HELPER_END(Op_Increment_Full);
         }
         JIT_HELPER_TEMPLATE(Op_Increment_Full, Op_Increment)
@@ -104,7 +104,7 @@ using namespace Js;
             }
 
             double dec = Decrement_Helper(aRight,scriptContext);
-            return JavascriptNumber::ToVarNoCheck(dec, scriptContext);
+            return JavascriptNumber::ToVarIntCheck(dec, scriptContext);
             JIT_HELPER_END(Op_Decrement_Full);
         }
         JIT_HELPER_TEMPLATE(Op_Decrement_Full, Op_Decrement)
@@ -792,7 +792,7 @@ using namespace Js;
         {
             JIT_HELPER_REENTRANT_HEADER(Op_Subtract_Full);
             double difference = Subtract_Helper(aLeft, aRight, scriptContext);
-            return JavascriptNumber::ToVarNoCheck(difference, scriptContext);
+            return JavascriptNumber::ToVarIntCheck(difference, scriptContext);
             JIT_HELPER_END(Op_Subtract_Full);
         }
         JIT_HELPER_TEMPLATE(Op_Subtract_Full, Op_Subtract)
@@ -825,7 +825,7 @@ using namespace Js;
             JIT_HELPER_REENTRANT_HEADER(Op_Exponentiation_Full);
             double x = JavascriptConversion::ToNumber(aLeft, scriptContext);
             double y = JavascriptConversion::ToNumber(aRight, scriptContext);
-            return JavascriptNumber::ToVarNoCheck(Math::Pow(x, y), scriptContext);
+            return JavascriptNumber::ToVarIntCheck(Math::Pow(x, y), scriptContext);
             JIT_HELPER_END(Op_Exponentiation_Full);
         }
         JIT_HELPER_TEMPLATE(Op_Exponentiation_Full, Op_Exponentiation)
@@ -874,7 +874,7 @@ using namespace Js;
                 return TaggedInt::Multiply(aLeft, aRight, scriptContext);
             }
             double product = Multiply_Helper(aLeft, aRight, scriptContext);
-            return JavascriptNumber::ToVarNoCheck(product, scriptContext);
+            return JavascriptNumber::ToVarIntCheck(product, scriptContext);
             JIT_HELPER_END(Op_Multiply_Full);
         }
         JIT_HELPER_TEMPLATE(Op_Multiply_Full, Op_Multiply)
@@ -939,7 +939,7 @@ using namespace Js;
             }
 
             double remainder = Modulus_Helper(aLeft, aRight, scriptContext);
-            return JavascriptNumber::ToVarNoCheck(remainder, scriptContext);
+            return JavascriptNumber::ToVarIntCheck(remainder, scriptContext);
             JIT_HELPER_END(Op_Modulus_Full);
         }
         JIT_HELPER_TEMPLATE(Op_Modulus_Full, Op_Modulus)

Original file line number	Diff line number	Diff line change
`@@ -10544,7 +10544,7 @@ using namespace Js;`
`10544`	`10544`	`return aRight;`
`10545`	`10545`	`}`
`10546`	`10546`
`10547`		`- return JavascriptNumber::ToVarNoCheck(JavascriptConversion::ToNumber_Full(aRight, scriptContext), scriptContext);`
	`10547`	`+ return JavascriptNumber::ToVarIntCheck(JavascriptConversion::ToNumber_Full(aRight, scriptContext), scriptContext);`
`10548`	`10548`	`JIT_HELPER_END(Op_ConvNumber_Full);`
`10549`	`10549`	`}`
`10550`	`10550`
Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,13 @@ namespace Js`
`36`	`36`
`37`	`37`	`Var JavascriptNumber::ToVarInPlace(int64 value, ScriptContext* scriptContext, JavascriptNumber *result)`
`38`	`38`	`{`
`39`		`- return InPlaceNew((double)value, scriptContext, result);`
`40`		`- }`
	`39`	`+ if (!TaggedInt::IsOverflow(value))`
	`40`	`+ {`
	`41`	`+ return TaggedInt::ToVarUnchecked(static_cast<int>(value));`
	`42`	`+ }`
`41`	`43`
	`44`	`+ return InPlaceNew(static_cast<double>(value), scriptContext, result);`
	`45`	`+ }`
`42`	`46`
`43`	`47`	`Var JavascriptNumber::ToVarMaybeInPlace(double value, ScriptContext* scriptContext, JavascriptNumber *result)`
`44`	`48`	`{`
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@ using namespace Js;`
`14`	`14`	`}`
`15`	`15`
`16`	`16`	`double value = Negate_Helper(aRight, scriptContext);`
`17`		`- return JavascriptNumber::ToVarNoCheck(value, scriptContext);`
	`17`	`+ return JavascriptNumber::ToVarIntCheck(value, scriptContext);`
`18`	`18`	`JIT_HELPER_END(Op_Negate_Full);`
`19`	`19`	`}`
`20`	`20`	`JIT_HELPER_TEMPLATE(Op_Negate_Full, Op_Negate)`
`@@ -77,7 +77,7 @@ using namespace Js;`
`77`	`77`	`}`
`78`	`78`
`79`	`79`	`double inc = Increment_Helper(aRight, scriptContext);`
`80`		`- return JavascriptNumber::ToVarNoCheck(inc, scriptContext);`
	`80`	`+ return JavascriptNumber::ToVarIntCheck(inc, scriptContext);`
`81`	`81`	`JIT_HELPER_END(Op_Increment_Full);`
`82`	`82`	`}`
`83`	`83`	`JIT_HELPER_TEMPLATE(Op_Increment_Full, Op_Increment)`
`@@ -104,7 +104,7 @@ using namespace Js;`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`double dec = Decrement_Helper(aRight,scriptContext);`
`107`		`- return JavascriptNumber::ToVarNoCheck(dec, scriptContext);`
	`107`	`+ return JavascriptNumber::ToVarIntCheck(dec, scriptContext);`
`108`	`108`	`JIT_HELPER_END(Op_Decrement_Full);`
`109`	`109`	`}`
`110`	`110`	`JIT_HELPER_TEMPLATE(Op_Decrement_Full, Op_Decrement)`
`@@ -792,7 +792,7 @@ using namespace Js;`
`792`	`792`	`{`
`793`	`793`	`JIT_HELPER_REENTRANT_HEADER(Op_Subtract_Full);`
`794`	`794`	`double difference = Subtract_Helper(aLeft, aRight, scriptContext);`
`795`		`- return JavascriptNumber::ToVarNoCheck(difference, scriptContext);`
	`795`	`+ return JavascriptNumber::ToVarIntCheck(difference, scriptContext);`
`796`	`796`	`JIT_HELPER_END(Op_Subtract_Full);`
`797`	`797`	`}`
`798`	`798`	`JIT_HELPER_TEMPLATE(Op_Subtract_Full, Op_Subtract)`
`@@ -825,7 +825,7 @@ using namespace Js;`
`825`	`825`	`JIT_HELPER_REENTRANT_HEADER(Op_Exponentiation_Full);`
`826`	`826`	`double x = JavascriptConversion::ToNumber(aLeft, scriptContext);`
`827`	`827`	`double y = JavascriptConversion::ToNumber(aRight, scriptContext);`
`828`		`- return JavascriptNumber::ToVarNoCheck(Math::Pow(x, y), scriptContext);`
	`828`	`+ return JavascriptNumber::ToVarIntCheck(Math::Pow(x, y), scriptContext);`
`829`	`829`	`JIT_HELPER_END(Op_Exponentiation_Full);`
`830`	`830`	`}`
`831`	`831`	`JIT_HELPER_TEMPLATE(Op_Exponentiation_Full, Op_Exponentiation)`
`@@ -874,7 +874,7 @@ using namespace Js;`
`874`	`874`	`return TaggedInt::Multiply(aLeft, aRight, scriptContext);`
`875`	`875`	`}`
`876`	`876`	`double product = Multiply_Helper(aLeft, aRight, scriptContext);`
`877`		`- return JavascriptNumber::ToVarNoCheck(product, scriptContext);`
	`877`	`+ return JavascriptNumber::ToVarIntCheck(product, scriptContext);`
`878`	`878`	`JIT_HELPER_END(Op_Multiply_Full);`
`879`	`879`	`}`
`880`	`880`	`JIT_HELPER_TEMPLATE(Op_Multiply_Full, Op_Multiply)`
`@@ -939,7 +939,7 @@ using namespace Js;`
`939`	`939`	`}`
`940`	`940`
`941`	`941`	`double remainder = Modulus_Helper(aLeft, aRight, scriptContext);`
`942`		`- return JavascriptNumber::ToVarNoCheck(remainder, scriptContext);`
	`942`	`+ return JavascriptNumber::ToVarIntCheck(remainder, scriptContext);`
`943`	`943`	`JIT_HELPER_END(Op_Modulus_Full);`
`944`	`944`	`}`
`945`	`945`	`JIT_HELPER_TEMPLATE(Op_Modulus_Full, Op_Modulus)`