Bug 106978

Summary: DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: d-r
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Michael Saboff
Reported 2013-01-15 20:59:53 PST
From <rdar://problem/13021805> Try this program: function foo(a, b) { return (a / b) | 0; } for (var i = 0; i < 200; ++i) print(foo(-2147483647-1, -1)); Expected result: prints -2147483648 200 times. Actual result: crash. The reason is that the !nodeUsedAsNumber(node.arithNodeFlags()) case of ArithDiv doesn't correctly handle -2^31/-1.
Attachments
Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2013-01-15 21:48:28 PST
Committed r139835: <http://trac.webkit.org/changeset/139835>
Dominik Röttsches (drott)
Comment 2 2013-01-16 02:26:18 PST
Expected test results fixed, see bug 106991.
Note You need to log in before you can comment on or make changes to this bug.