Memset with native float arrays needs to check the type of the source because we can do nativearray[i] = var and bailout after the fact if the source was not a float (ie: changes the type of array).

Cellule · Cellule · commit 876e84f4eaef · 2016-05-03T17:07:48.000-07:00
Since memset will not change the type of the array, it needs to check before hand that the source is actually a float or int and bailout if not.
diff --git a/lib/Runtime/Language/JavascriptOperators.cpp b/lib/Runtime/Language/JavascriptOperators.cpp
@@ -4689,6 +4689,11 @@ namespace Js
                 }
                 else
                 {
+                    // For native float arrays, the jit doesn't check the type of the source so we have to do it here
+                    if (!JavascriptNumber::Is(value) && !TaggedNumber::Is(value))
+                    {
+                        return false;
+                    }
                     returnValue = JavascriptArray::FromVar(instance)->DirectSetItemAtRange<double>(start, length, JavascriptConversion::ToNumber(value, scriptContext));
                 }
                 returnValue &= vt == VirtualTableInfoBase::GetVirtualTable(instance);

Original file line number	Diff line number	Diff line change
`@@ -4689,6 +4689,11 @@ namespace Js`
`4689`	`4689`	`}`
`4690`	`4690`	`else`
`4691`	`4691`	`{`
	`4692`	`+ // For native float arrays, the jit doesn't check the type of the source so we have to do it here`
	`4693`	`+ if (!JavascriptNumber::Is(value) && !TaggedNumber::Is(value))`
	`4694`	`+ {`
	`4695`	`+ return false;`
	`4696`	`+ }`
`4692`	`4697`	`returnValue = JavascriptArray::FromVar(instance)->DirectSetItemAtRange<double>(start, length, JavascriptConversion::ToNumber(value, scriptContext));`
`4693`	`4698`	`}`
`4694`	`4699`	`returnValue &= vt == VirtualTableInfoBase::GetVirtualTable(instance);`