| Index: src/compiler/js-native-context-specialization.cc
|
| diff --git a/src/compiler/js-native-context-specialization.cc b/src/compiler/js-native-context-specialization.cc
|
| index d8c2254961e79f84e77185a0a1af2c985d3e7def..e34d2444886c7a5e590bd184493f48fafaec2118 100644
|
| --- a/src/compiler/js-native-context-specialization.cc
|
| +++ b/src/compiler/js-native-context-specialization.cc
|
| @@ -842,6 +842,11 @@ Reduction JSNativeContextSpecialization::ReduceElementAccess(
|
| this_effect, this_control);
|
| this_value = graph()->NewNode(simplified()->TypeGuard(Type::Number()),
|
| this_value, this_control);
|
| + // Make sure we do not store signalling NaNs into holey double arrays.
|
| + if (elements_kind == FAST_HOLEY_DOUBLE_ELEMENTS) {
|
| + this_value =
|
| + graph()->NewNode(simplified()->NumberSilenceNaN(), this_value);
|
| + }
|
| }
|
| this_effect = graph()->NewNode(simplified()->StoreElement(element_access),
|
| this_elements, this_index, this_value,
|
|
|
Chromium Code Reviews
Issue 2060233002:
[turbofan] Prevent storing signalling NaNs into holey double arrays. (Closed)
Base URL: https://chromium.googlesource.com/v8/v8.git@master