Bug 906286 - Canonicalize NaN values stored to float arrays in JS_MORE_DETERMINISTIC builds. r=luke

js/src/jit/IonMacroAssembler.h

@@ -579,8 +579,12 @@ class MacroAssembler : public MacroAssemblerSpecific
         }
     }
 
-    template<typename S, typename T>
+    template<typename T>
-    void storeToTypedFloatArray(int arrayType, const S &value, const T &dest) {
+    void storeToTypedFloatArray(int arrayType, FloatRegister value, const T &dest) {
+#ifdef JS_MORE_DETERMINISTIC
+        // See the comment in ToDoubleForTypedArray.
+        canonicalizeDouble(value);
+#endif
         switch (arrayType) {
           case TypedArrayObject::TYPE_FLOAT32:
             convertDoubleToFloat(value, ScratchFloatReg);

js/src/vm/TypedArrayObject.cpp

@@ -1357,6 +1357,14 @@ js::ToDoubleForTypedArray(JSContext *cx, JS::HandleValue vp, double *d)
         *d = js_NaN;
     }
 
+#ifdef JS_MORE_DETERMINISTIC
+    // It's possible to have a NaN value with the sign bit set. The spec allows
+    // this but it can confuse differential testing when this value is stored
+    // to a float array and then read back as integer. To work around this, we
+    // always canonicalize NaN values in more-deterministic builds.
+    *d = JS_CANONICALIZE_NAN(*d);
+#endif
+
     return true;
 }