Bug 81428

Summary:

Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

darin, ossy

Priority:

Keywords:

InRadar

Version:

312.x

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	barraclough: review+
the patch	none
proposed 32bit buildfix	none

Filip Pizlo

Reported 2012-03-16 16:27:04 PDT

Patch forthcoming.

Attachments
the patch (9.14 KB, patch) 2012-03-16 16:42 PDT, Filip Pizlo	barraclough: review+	Details Formatted Diff Diff
the patch (11.33 KB, patch) 2012-03-19 19:41 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
proposed 32bit buildfix (2.12 KB, patch) 2012-03-20 04:48 PDT, Csaba Osztrogonác	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2012-03-16 16:27:25 PDT

<rdar://problem/11067382>

Filip Pizlo

Comment 2 2012-03-16 16:42:16 PDT

Created attachment 132414 [details] the patch

Filip Pizlo

Comment 3 2012-03-19 19:41:37 PDT

Created attachment 132748 [details] the patch

Filip Pizlo

Comment 4 2012-03-19 22:19:40 PDT

Landed in http://trac.webkit.org/changeset/111355

Csaba Osztrogonác

Comment 5 2012-03-20 04:16:25 PDT

Comment on attachment 132748 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=132748&action=review Reopen, because it broke the 32 bit build. Unfortunately EWS didn't notice it, because -Werror was disabled because of an other bug. :( > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2486 > + speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648))); ../../../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2486: error: this decimal constant is unsigned only in ISO C90 > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2489 > + JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648)); ../../../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2489: error: this decimal constant is unsigned only in ISO C90

Csaba Osztrogonác

Comment 6 2012-03-20 04:16:36 PDT

Csaba Osztrogonác

Comment 7 2012-03-20 04:48:31 PDT

Created attachment 132800 [details] proposed 32bit buildfix

Zoltan Herczeg

Comment 8 2012-03-20 04:50:18 PDT

Comment on attachment 132800 [details] proposed 32bit buildfix rs=me

Csaba Osztrogonác

Comment 9 2012-03-20 04:56:19 PDT

Comment on attachment 132800 [details] proposed 32bit buildfix Landed in http://trac.webkit.org/changeset/111381

Filip Pizlo

Comment 10 2012-03-20 11:58:05 PDT

Thanks for the build fix!

Darin Adler

Comment 11 2012-03-23 09:06:15 PDT

Where’s the regression test for the crash?

Filip Pizlo

Comment 12 2012-03-23 12:16:59 PDT

(In reply to comment #11) > Where’s the regression test for the crash? http://trac.webkit.org/changeset/111481 That includes a test that checks corner cases for both division and modulo.

Note You need to log in before you can comment on or make changes to this bug.