From 18214ad3bf0816e79da0830b67ceeec641efbebe Mon Sep 17 00:00:00 2001
From: Sean Stangl <sean.stangl@gmail.com>
Date: Thu, 11 Apr 2019 22:34:46 +0000
Subject: [PATCH] Bug 1538083 - Fix -0 handling in ARM64 visitTrunc(). r=nbp

The existing truncation code did not correctly handle the case of negative zero.
The fix is to avoid using FCMP floating-point comparisons, and check
the sign bit explicitly in a GPR.

Differential Revision: https://phabricator.services.mozilla.com/D26381

--HG--
extra : moz-landing-system : lando
---
 js/src/jit-test/tests/ion/bug1538083.js  |  8 ++++++++
 js/src/jit/arm64/CodeGenerator-arm64.cpp | 11 +++++++++++
 2 files changed, 19 insertions(+)
 create mode 100644 js/src/jit-test/tests/ion/bug1538083.js

diff --git a/js/src/jit-test/tests/ion/bug1538083.js b/js/src/jit-test/tests/ion/bug1538083.js
new file mode 100644
index 000000000000..e1c6d50b8d92
--- /dev/null
+++ b/js/src/jit-test/tests/ion/bug1538083.js
@@ -0,0 +1,8 @@
+// Crashes with --no-threads --ion-eager.
+x = [8589934592, -0];
+y = [0, 0];
+for (let i = 0; i < 2; ++i) {
+    y[i] = uneval(Math.trunc(Math.tan(x[i])));
+}
+assertEq(y[0].toString(), "1");
+assertEq(y[1].toString(), "-0");
diff --git a/js/src/jit/arm64/CodeGenerator-arm64.cpp b/js/src/jit/arm64/CodeGenerator-arm64.cpp
index 9addcc93de36..dc2220d7bbcd 100644
--- a/js/src/jit/arm64/CodeGenerator-arm64.cpp
+++ b/js/src/jit/arm64/CodeGenerator-arm64.cpp
@@ -1104,6 +1104,7 @@ void CodeGenerator::visitTrunc(LTrunc* lir) {
   const ARMFPRegister input64(input, 64);
   const Register output = ToRegister(lir->output());
   const ARMRegister output32(output, 32);
+  const ARMRegister output64(output, 64);
 
   Label done, zeroCase;
 
@@ -1133,6 +1134,11 @@ void CodeGenerator::visitTrunc(LTrunc* lir) {
     // The use of "lt" instead of "lo" also catches unordered NaN input.
     masm.Fcmp(input64, 0.0);
     bailoutIf(vixl::lt, lir->snapshot());
+
+    // Check explicitly for -0, bitwise.
+    masm.Fmov(output64, input64);
+    bailoutTestPtr(Assembler::Signed, output, output, lir->snapshot());
+    masm.movePtr(ImmPtr(0), output);
   }
 
   masm.bind(&done);
@@ -1172,6 +1178,11 @@ void CodeGenerator::visitTruncF(LTruncF* lir) {
     // The use of "lt" instead of "lo" also catches unordered NaN input.
     masm.Fcmp(input32, 0.0f);
     bailoutIf(vixl::lt, lir->snapshot());
+
+    // Check explicitly for -0, bitwise.
+    masm.Fmov(output32, input32);
+    bailoutTest32(Assembler::Signed, output, output, lir->snapshot());
+    masm.move32(Imm32(0), output);
   }
 
   masm.bind(&done);