languages/dart-sdk
languages/dart-sdk
1
0
Fork 0
mirror of https://github.com/dart-lang/sdk synced 2024-11-02 14:32:24 +00:00
Code Issues Projects Releases Packages Wiki Activity
dart-sdk/sdk
History
Stephen Adams 5c582f82f0 [dart2js, js_runtime, js_dev_runtime] NaN-safe range checks. 
`int` variables can attain NaN values because web int arithmetic
implemented by JavaScript numbers (doubles) is not closed under many
operations. It is possible get NaN using only addition:

    int a = 1, b = -1;
    while (a + a != a) { a += a; b += b; }
    int nan = a + b;

On the VM, a, b and nan are all zero.
On the web, a, b and nan are Infinity, -Infinity and NaN, respectively.

Since NaN can leak into int arithmetic, is it helpful if bounds checks
catch NaN indexes. NaN compares false in any comparison, so a test
of the form

   if (index < 0 || index >= a.length) throw ioore(a, index);

fails to detect a NaN value of `index`.
This is fixed by negating the comparisons, and applying De Morgan's law:

   if (!(index >= 0 && index < a.length)) throw ioore(a, index);

These changes have been applied to JSArray.[], JSArray.[]= and String.[]

For dart2js the change is a little more involved. Primitive indexing is
lowered to code with a HBoundsCheck check instruction. The code generated
for the instruction now uses, e.g. `!(i>=0)` instead of `i<0`.
This leads to a small code size regression.

There is no regression at -O4 since bounds checks are omitted at -O4.

At -O3 (where the regression is largest) the regression is
   0.01% for cm
   0.06% for flutter gallery -- array-heavy diff and layout
   0.21% for Meteor          -- array-heavy code
   0.30% for Box2DOctane     -- array-heavy code

I believe the regression can be largely alleviated by determining if
NaN is impossible at the index check, and if so, reverting to the smaller
code pattern. The analysis could be global, incorporating NaN into the
global abstract value domain, or a much simpler a local dataflow
analysis. Many indexes are loop driven and cannot reach infinity because
they are incremented by a small bump and eventually (even without a loop
guard) the index would stop growing when the increment falls below the
rounding error in O(2^53) iterations.


Change-Id: I23ab1eb779f1d0c9c6655e13d69f65d453db9284
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/210321
Commit-Queue: Stephen Adams <sra@google.com>
Reviewed-by: Mayank Patke <fishythefish@google.com>
2021-08-27 00:37:56 +00:00
..
bin Deprecate top level pub. 2021-08-24 08:34:58 +00:00
lib [dart2js, js_runtime, js_dev_runtime] NaN-safe range checks. 2021-08-27 00:37:56 +00:00
api_readme.md
BUILD.gn Deprecate top level pub. 2021-08-24 08:34:58 +00:00