Title: [116455] trunk/Source/_javascript_Core
- Revision
- 116455
- Author
- [email protected]
- Date
- 2012-05-08 14:52:11 -0700 (Tue, 08 May 2012)
Log Message
SIGFPE on divide in classic interpreter
https://bugs.webkit.org/show_bug.cgi?id=85917
Rubber stamped by Oliver Hunt.
* interpreter/Interpreter.cpp:
(JSC::Interpreter::privateExecute):
- check for divisor of -1.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (116454 => 116455)
--- trunk/Source/_javascript_Core/ChangeLog 2012-05-08 21:22:33 UTC (rev 116454)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-05-08 21:52:11 UTC (rev 116455)
@@ -1,3 +1,14 @@
+2012-05-08 Gavin Barraclough <[email protected]>
+
+ SIGFPE on divide in classic interpreter
+ https://bugs.webkit.org/show_bug.cgi?id=85917
+
+ Rubber stamped by Oliver Hunt.
+
+ * interpreter/Interpreter.cpp:
+ (JSC::Interpreter::privateExecute):
+ - check for divisor of -1.
+
2012-05-07 Oliver Hunt <[email protected]>
Rolling out r110287
Modified: trunk/Source/_javascript_Core/interpreter/Interpreter.cpp (116454 => 116455)
--- trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2012-05-08 21:22:33 UTC (rev 116454)
+++ trunk/Source/_javascript_Core/interpreter/Interpreter.cpp 2012-05-08 21:52:11 UTC (rev 116455)
@@ -2448,7 +2448,7 @@
JSValue dividend = callFrame->r(vPC[2].u.operand).jsValue();
JSValue divisor = callFrame->r(vPC[3].u.operand).jsValue();
- if (dividend.isInt32() && divisor.isInt32() && divisor.asInt32() != 0) {
+ if (dividend.isInt32() && divisor.isInt32() && divisor.asInt32() != 0 && divisor.asInt32() != -1) {
JSValue result = jsNumber(dividend.asInt32() % divisor.asInt32());
ASSERT(result);
callFrame->uncheckedR(dst) = result;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
