106978 – DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1

RESOLVED FIXED 106978

DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1

https://bugs.webkit.org/show_bug.cgi?id=106978

Summary DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1

Michael Saboff

Reported 2013-01-15 20:59:53 PST

From <rdar://problem/13021805> Try this program: function foo(a, b) { return (a / b) | 0; } for (var i = 0; i < 200; ++i) print(foo(-2147483647-1, -1)); Expected result: prints -2147483648 200 times. Actual result: crash. The reason is that the !nodeUsedAsNumber(node.arithNodeFlags()) case of ArithDiv doesn't correctly handle -2^31/-1.

Attachments
Add attachment proposed patch, testcase, etc.

Michael Saboff

Comment 1 2013-01-15 21:48:28 PST

Committed r139835: <http://trac.webkit.org/changeset/139835>

Dominik Röttsches (drott)

Comment 2 2013-01-16 02:26:18 PST

Expected test results fixed, see bug 106991.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Michael Saboff

Reported

2013-01-15 20:59 PST

Modified

2013-01-16 02:26 PST History

CC List

1 user Show

URL

Keywords InRadar

Depends on

Blocks