Bug 66426

Summary:

[jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, fpizlo, ggaren, jruderman, msaboff, oliver, webkit.review.bot

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	none

Description Filip Pizlo 2011-08-17 16:15:46 PDT

The DFG speculative JIT's path for emitting an ArithMod does a divide-by-zero check on a potentially boxed integer by testing the full 64 bit value for zero.  This will always succeed if the value is boxed.

Comment 1 Filip Pizlo 2011-08-17 16:21:51 PDT

Created attachment 104270 [details]
the patch

Comment 2 Oliver Hunt 2011-08-17 16:23:35 PDT

<rdar://problem/9972530>

Comment 3 WebKit Review Bot 2011-08-18 04:47:40 PDT

Comment on attachment 104270 [details]
the patch

Clearing flags on attachment: 104270

Committed r93298: <http://trac.webkit.org/changeset/93298>

Comment 4 WebKit Review Bot 2011-08-18 04:47:44 PDT

All reviewed patches have been landed.  Closing bug.