Bug 66426

Summary:

[jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, fpizlo, ggaren, jruderman, msaboff, oliver, webkit.review.bot

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	none

Filip Pizlo

Reported 2011-08-17 16:15:46 PDT

The DFG speculative JIT's path for emitting an ArithMod does a divide-by-zero check on a potentially boxed integer by testing the full 64 bit value for zero. This will always succeed if the value is boxed.

Attachments
the patch (3.69 KB, patch) 2011-08-17 16:21 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2011-08-17 16:21:51 PDT

Created attachment 104270 [details] the patch

Oliver Hunt

Comment 2 2011-08-17 16:23:35 PDT

<rdar://problem/9972530>

WebKit Review Bot

Comment 3 2011-08-18 04:47:40 PDT

Comment on attachment 104270 [details] the patch Clearing flags on attachment: 104270 Committed r93298: <http://trac.webkit.org/changeset/93298>

WebKit Review Bot

Comment 4 2011-08-18 04:47:44 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.