81428 – Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1

RESOLVED FIXED 81428

Division optimizations fail to infer cases of truncated division and mishandle -2147483648/-1

https://bugs.webkit.org/show_bug.cgi?id=81428

Summary Division optimizations fail to infer cases of truncated division and mishandl...

Filip Pizlo

Reported 2012-03-16 16:27:04 PDT

Patch forthcoming.

Attachments
the patch (9.14 KB, patch) 2012-03-16 16:42 PDT, Filip Pizlo	barraclough: review+	Details Formatted Diff Diff
the patch (11.33 KB, patch) 2012-03-19 19:41 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
proposed 32bit buildfix (2.12 KB, patch) 2012-03-20 04:48 PDT, Csaba Osztrogonác	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2012-03-16 16:27:25 PDT

<rdar://problem/11067382>

Filip Pizlo

Comment 2 2012-03-16 16:42:16 PDT

Created attachment 132414 [details] the patch

Filip Pizlo

Comment 3 2012-03-19 19:41:37 PDT

Created attachment 132748 [details] the patch

Filip Pizlo

Comment 4 2012-03-19 22:19:40 PDT

Landed in http://trac.webkit.org/changeset/111355

Csaba Osztrogonác

Comment 5 2012-03-20 04:16:25 PDT

Comment on attachment 132748 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=132748&action=review Reopen, because it broke the 32 bit build. Unfortunately EWS didn't notice it, because -Werror was disabled because of an other bug. :( > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2486 > + speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648))); ../../../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2486: error: this decimal constant is unsigned only in ISO C90 > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2489 > + JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483648)); ../../../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2489: error: this decimal constant is unsigned only in ISO C90

Csaba Osztrogonác

Comment 6 2012-03-20 04:16:36 PDT

Csaba Osztrogonác

Comment 7 2012-03-20 04:48:31 PDT

Created attachment 132800 [details] proposed 32bit buildfix

Zoltan Herczeg

Comment 8 2012-03-20 04:50:18 PDT

Comment on attachment 132800 [details] proposed 32bit buildfix rs=me

Csaba Osztrogonác

Comment 9 2012-03-20 04:56:19 PDT

Comment on attachment 132800 [details] proposed 32bit buildfix Landed in http://trac.webkit.org/changeset/111381

Filip Pizlo

Comment 10 2012-03-20 11:58:05 PDT

Thanks for the build fix!

Darin Adler

Comment 11 2012-03-23 09:06:15 PDT

Where’s the regression test for the crash?

Filip Pizlo

Comment 12 2012-03-23 12:16:59 PDT

(In reply to comment #11) > Where’s the regression test for the crash? http://trac.webkit.org/changeset/111481 That includes a test that checks corner cases for both division and modulo.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 312.x

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2012-03-16 16:27 PDT

Modified

2012-03-23 12:16 PDT History

CC List

2 users Show

URL

Keywords InRadar

Depends on

Blocks