66426 – [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly

Bug 66426 - [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly

Summary: [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2011-08-17 16:15 PDT by Filip Pizlo
Modified:	2011-08-18 04:47 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
the patch (3.69 KB, patch) 2011-08-17 16:21 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2011-08-17 16:15:46 PDT

The DFG speculative JIT's path for emitting an ArithMod does a divide-by-zero check on a potentially boxed integer by testing the full 64 bit value for zero.  This will always succeed if the value is boxed.

Comment 1 Filip Pizlo 2011-08-17 16:21:51 PDT

Created attachment 104270 [details]
the patch

Comment 2 Oliver Hunt 2011-08-17 16:23:35 PDT

<rdar://problem/9972530>

Comment 3 WebKit Review Bot 2011-08-18 04:47:40 PDT

Comment on attachment 104270 [details]
the patch

Clearing flags on attachment: 104270

Committed r93298: <http://trac.webkit.org/changeset/93298>

Comment 4 WebKit Review Bot 2011-08-18 04:47:44 PDT

All reviewed patches have been landed.  Closing bug.