[webkit-changes] [139835] trunk

[msaboff]

Title: [139835] trunk

Revision

139835

Author

msab...@apple.com

Date

2013-01-15 21:47:09 -0800 (Tue, 15 Jan 2013)

Log Message

DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
https://bugs.webkit.org/show_bug.cgi?id=106978

Reviewed by Filip Pizlo.

Source/_javascript_Core: 

Changed the numerator equal to -2^31 check to just return if we expect an integer
result, since the check is after we have determined that the denominator is -1.
The int result of -2^31 / -1 is -2^31, so just return the numerator as the result.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):

LayoutTests: 

Added a new DFG check for -2^31 / -1 when we expect and integer result.

* fast/js/integer-division-neg2tothe32-by-neg1-expected.txt:
* fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js:
(myDivExpectingInt):

Modified Paths

• trunk/LayoutTests/ChangeLog
• trunk/LayoutTests/fast/js/integer-division-neg2tothe32-by-neg1-expected.txt
• trunk/LayoutTests/fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Diff

Modified: trunk/LayoutTests/ChangeLog (139834 => 139835)

--- trunk/LayoutTests/ChangeLog	2013-01-16 05:25:37 UTC (rev 139834)
+++ trunk/LayoutTests/ChangeLog	2013-01-16 05:47:09 UTC (rev 139835)
@@ -1,3 +1,16 @@
+2013-01-15  Michael Saboff  <msab...@apple.com>
+
+        DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
+        https://bugs.webkit.org/show_bug.cgi?id=106978
+
+        Reviewed by Filip Pizlo.
+
+        Added a new DFG check for -2^31 / -1 when we expect and integer result.
+
+        * fast/js/integer-division-neg2tothe32-by-neg1-expected.txt:
+        * fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js:
+        (myDivExpectingInt):
+
 2013-01-15  Dominic Cooney  <domin...@chromium.org>
 
         [Chromium] Unreviewed gardening.

Modified: trunk/LayoutTests/fast/js/integer-division-neg2tothe32-by-neg1-expected.txt (139834 => 139835)

--- trunk/LayoutTests/fast/js/integer-division-neg2tothe32-by-neg1-expected.txt	2013-01-16 05:25:37 UTC (rev 139834)
+++ trunk/LayoutTests/fast/js/integer-division-neg2tothe32-by-neg1-expected.txt	2013-01-16 05:47:09 UTC (rev 139835)
@@ -2803,6 +2803,7 @@
 PASS myOtherModByNeg1(w) is -0
 PASS myOtherModNeg2ToThe31(v) is -0
 PASS myOtherModNeg2ToThe31(3) is -2
+PASS myDivExpectingInt(x, y) is x
 PASS successfullyParsed is true
 
 TEST COMPLETE

Modified: trunk/LayoutTests/fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js (139834 => 139835)

--- trunk/LayoutTests/fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js	2013-01-16 05:25:37 UTC (rev 139834)
+++ trunk/LayoutTests/fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js	2013-01-16 05:47:09 UTC (rev 139835)
@@ -50,6 +50,10 @@
     return -2147483648 % b;
 }
 
+function myDivExpectingInt(a, b) {
+    return (a / b) | 0;
+}
+
 var w = 4;
 var v = 2;
 var x = -2147483648;
@@ -76,5 +80,6 @@
     shouldBe("myOtherModByNeg1(w)", i > 100 ? "-0" : "0");
     shouldBe("myOtherModNeg2ToThe31(v)", "-0");
     shouldBe("myOtherModNeg2ToThe31(3)", "-2");
+    shouldBe("myDivExpectingInt(x, y)", "x");
 }
 

Modified: trunk/Source/_javascript_Core/ChangeLog (139834 => 139835)

--- trunk/Source/_javascript_Core/ChangeLog	2013-01-16 05:25:37 UTC (rev 139834)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-01-16 05:47:09 UTC (rev 139835)
@@ -1,3 +1,17 @@
+2013-01-15  Michael Saboff  <msab...@apple.com>
+
+        DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1
+        https://bugs.webkit.org/show_bug.cgi?id=106978
+
+        Reviewed by Filip Pizlo.
+
+        Changed the numerator equal to -2^31 check to just return if we expect an integer
+        result, since the check is after we have determined that the denominator is -1.
+        The int result of -2^31 / -1 is -2^31, so just return the numerator as the result.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
+
 2013-01-15  Levi Weintraub  <le...@chromium.org>
 
         Unreviewed, rolling out r139792.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (139834 => 139835)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2013-01-16 05:25:37 UTC (rev 139834)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2013-01-16 05:47:09 UTC (rev 139835)
@@ -3318,11 +3318,11 @@
         speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)));
     } else {
         JITCompiler::Jump zero = m_jit.branchTest32(JITCompiler::Zero, op2GPR);
-        JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1));
+        JITCompiler::Jump isNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1));
         zero.link(&m_jit);
         m_jit.move(TrustedImm32(0), eax.gpr());
+        isNeg2ToThe31.link(&m_jit);
         done = m_jit.jump();
-        notNeg2ToThe31.link(&m_jit);
     }
     
     safeDenominator.link(&m_jit);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes