Title: [111381] trunk/Source/_javascript_Core
- Revision
- 111381
- Author
- [email protected]
- Date
- 2012-03-20 04:52:54 -0700 (Tue, 20 Mar 2012)
Log Message
Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1
https://bugs.webkit.org/show_bug.cgi?id=81428
32 bit buildfix after r111355.
2147483648 (2^31) isn't valid int literal in ISO C90, because 2147483647 (2^31-1) is the biggest int.
The smallest int is -2147483648 (-2^31) == -2147483647 - 1 == -INT32_MAX-1 == INT32_MIN (stdint.h).
Reviewed by Zoltan Herczeg.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (111380 => 111381)
--- trunk/Source/_javascript_Core/ChangeLog 2012-03-20 11:47:05 UTC (rev 111380)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-03-20 11:52:54 UTC (rev 111381)
@@ -1,3 +1,18 @@
+2012-03-20 Csaba Osztrogonác <[email protected]>
+
+ Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1
+ https://bugs.webkit.org/show_bug.cgi?id=81428
+
+ 32 bit buildfix after r111355.
+
+ 2147483648 (2^31) isn't valid int literal in ISO C90, because 2147483647 (2^31-1) is the biggest int.
+ The smallest int is -2147483648 (-2^31) == -2147483647 - 1 == -INT32_MAX-1 == INT32_MIN (stdint.h).
+
+ Reviewed by Zoltan Herczeg.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
+
2012-03-19 Jochen Eisinger <[email protected]>
Split WTFReportBacktrace into WTFReportBacktrace and WTFPrintBacktrace
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (111380 => 111381)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-03-20 11:47:05 UTC (rev 111380)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-03-20 11:52:54 UTC (rev 111381)
@@ -2483,10 +2483,10 @@
JITCompiler::Jump done;
if (nodeUsedAsNumber(node.arithNodeFlags())) {
speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branchTest32(JITCompiler::Zero, op2GPR));
- speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648)));
+ speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)));
} else {
JITCompiler::Jump zero = m_jit.branchTest32(JITCompiler::Zero, op2GPR);
- JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648));
+ JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1));
zero.link(&m_jit);
m_jit.move(TrustedImm32(0), eax.gpr());
done = m_jit.jump();
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
