Bug 170473

Summary:

On ARM64, DFG::SpeculativeJIT::compileArithMod() failed to ensure result is of DataFormatInt32.

Product:

WebKit

Reporter:

Mark Lam <mark.lam>

Component:

JavaScriptCore

Assignee:

Mark Lam <mark.lam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, fpizlo, jfbastien, keith_miller, msaboff, saam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Local Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
proposed patch.	none

Description Mark Lam 2017-04-04 14:50:12 PDT

In Unchecked mode, when DFG::SpeculativeJIT::compileArithMod() detects that the divisor is 0, it just returns the divisor as the result.  However, the result is expected to be of DataFormatIn32, but the divisor in this case is of DataFormatJSInt32.  The fix is to return an immediate 0 instead.

<rdar://problem/29912391>

Comment 1 Mark Lam 2017-04-04 15:28:36 PDT

Created attachment 306217 [details]
proposed patch.

Comment 2 Mark Lam 2017-04-04 20:22:20 PDT

Comment on attachment 306217 [details]
proposed patch.

Thanks for the review.  Landing now.

Comment 3 WebKit Commit Bot 2017-04-04 20:50:10 PDT

Comment on attachment 306217 [details]
proposed patch.

Clearing flags on attachment: 306217

Committed r214927: <http://trac.webkit.org/changeset/214927>

Comment 4 WebKit Commit Bot 2017-04-04 20:50:12 PDT

All reviewed patches have been landed.  Closing bug.