Bug 81428

Summary: Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: darin, ossy
Priority: P2 Keywords: InRadar
Version: 312.x   
Hardware: All   
OS: All   
Attachments:
Description Flags
the patch
barraclough: review+
the patch
none
proposed 32bit buildfix none

Description Filip Pizlo 2012-03-16 16:27:04 PDT 
Patch forthcoming.
Comment 1 Filip Pizlo 2012-03-16 16:27:25 PDT 
<rdar://problem/11067382>
Comment 2 Filip Pizlo 2012-03-16 16:42:16 PDT 
Created attachment 132414 [details]
the patch
Comment 3 Filip Pizlo 2012-03-19 19:41:37 PDT 
Created attachment 132748 [details]
the patch
Comment 4 Filip Pizlo 2012-03-19 22:19:40 PDT 
Landed in http://trac.webkit.org/changeset/111355
Comment 5 Csaba Osztrogonác 2012-03-20 04:16:25 PDT 
Comment on attachment 132748 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=132748&action=review

Reopen, because it broke the 32 bit build. Unfortunately EWS didn't 
notice it, because -Werror was disabled because of an other bug. :(

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2486
> +        speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648)));

../../../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2486: error: this decimal constant is unsigned only in ISO C90

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2489
> +        JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648));

../../../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2489: error: this decimal constant is unsigned only in ISO C90
Comment 6 Csaba Osztrogonác 2012-03-20 04:16:36 PDT 
.
Comment 7 Csaba Osztrogonác 2012-03-20 04:48:31 PDT 
Created attachment 132800 [details]
proposed 32bit buildfix
Comment 8 Zoltan Herczeg 2012-03-20 04:50:18 PDT 
Comment on attachment 132800 [details]
proposed 32bit buildfix

rs=me
Comment 9 Csaba Osztrogonác 2012-03-20 04:56:19 PDT 
Comment on attachment 132800 [details]
proposed 32bit buildfix

Landed in http://trac.webkit.org/changeset/111381
Comment 10 Filip Pizlo 2012-03-20 11:58:05 PDT 
Thanks for the build fix!
Comment 11 Darin Adler 2012-03-23 09:06:15 PDT 
Where’s the regression test for the crash?
Comment 12 Filip Pizlo 2012-03-23 12:16:59 PDT 
(In reply to comment #11)
> Where’s the regression test for the crash?

http://trac.webkit.org/changeset/111481

That includes a test that checks corner cases for both division and modulo.