Bug 81428 - Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1
Summary: Division optimizations fail to infer cases of truncated division and mishandl...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 312.x
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2012-03-16 16:27 PDT by Filip Pizlo
Modified: 2012-03-23 12:16 PDT (History)
2 users (show)

See Also:

Attachments
the patch (9.14 KB, patch)
2012-03-16 16:42 PDT, Filip Pizlo 		barraclough: review+
Details | Formatted Diff | Diff
the patch (11.33 KB, patch)
2012-03-19 19:41 PDT, Filip Pizlo 		no flags Details | Formatted Diff | Diff
proposed 32bit buildfix (2.12 KB, patch)
2012-03-20 04:48 PDT, Csaba Osztrogonác 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2012-03-16 16:27:04 PDT 
Patch forthcoming.
Comment 1 Filip Pizlo 2012-03-16 16:27:25 PDT 
<rdar://problem/11067382>
Comment 2 Filip Pizlo 2012-03-16 16:42:16 PDT 
Created attachment 132414 [details]
the patch
Comment 3 Filip Pizlo 2012-03-19 19:41:37 PDT 
Created attachment 132748 [details]
the patch
Comment 4 Filip Pizlo 2012-03-19 22:19:40 PDT 
Landed in http://trac.webkit.org/changeset/111355
Comment 5 Csaba Osztrogonác 2012-03-20 04:16:25 PDT 
Comment on attachment 132748 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=132748&action=review

Reopen, because it broke the 32 bit build. Unfortunately EWS didn't 
notice it, because -Werror was disabled because of an other bug. :(

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2486
> +        speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648)));

../../../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2486: error: this decimal constant is unsigned only in ISO C90

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2489
> +        JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648));

../../../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2489: error: this decimal constant is unsigned only in ISO C90
Comment 6 Csaba Osztrogonác 2012-03-20 04:16:36 PDT 
.
Comment 7 Csaba Osztrogonác 2012-03-20 04:48:31 PDT 
Created attachment 132800 [details]
proposed 32bit buildfix
Comment 8 Zoltan Herczeg 2012-03-20 04:50:18 PDT 
Comment on attachment 132800 [details]
proposed 32bit buildfix

rs=me
Comment 9 Csaba Osztrogonác 2012-03-20 04:56:19 PDT 
Comment on attachment 132800 [details]
proposed 32bit buildfix

Landed in http://trac.webkit.org/changeset/111381
Comment 10 Filip Pizlo 2012-03-20 11:58:05 PDT 
Thanks for the build fix!
Comment 11 Darin Adler 2012-03-23 09:06:15 PDT 
Where’s the regression test for the crash?
Comment 12 Filip Pizlo 2012-03-23 12:16:59 PDT 
(In reply to comment #11)
> Where’s the regression test for the crash?

http://trac.webkit.org/changeset/111481

That includes a test that checks corner cases for both division and modulo.