66426 – [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly

RESOLVED FIXED 66426

[jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly

https://bugs.webkit.org/show_bug.cgi?id=66426

Summary [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly

Filip Pizlo

Reported 2011-08-17 16:15:46 PDT

The DFG speculative JIT's path for emitting an ArithMod does a divide-by-zero check on a potentially boxed integer by testing the full 64 bit value for zero. This will always succeed if the value is boxed.

Attachments
the patch (3.69 KB, patch) 2011-08-17 16:21 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2011-08-17 16:21:51 PDT

Created attachment 104270 [details] the patch

Oliver Hunt

Comment 2 2011-08-17 16:23:35 PDT

<rdar://problem/9972530>

WebKit Review Bot

Comment 3 2011-08-18 04:47:40 PDT

Comment on attachment 104270 [details] the patch Clearing flags on attachment: 104270 Committed r93298: <http://trac.webkit.org/changeset/93298>

WebKit Review Bot

Comment 4 2011-08-18 04:47:44 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2011-08-17 16:15 PDT

Modified

2011-08-18 04:47 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks