From e0892c4f8d16204aa21b9915b457ab23ae1df37c Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 12:15:35 +0200 Subject: DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1 https://bugs.webkit.org/show_bug.cgi?id=106978 Reviewed by Filip Pizlo. Source/JavaScriptCore: Changed the numerator equal to -2^31 check to just return if we expect an integer result, since the check is after we have determined that the denominator is -1. The int result of -2^31 / -1 is -2^31, so just return the numerator as the result. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): LayoutTests: Added a new DFG check for -2^31 / -1 when we expect and integer result. * fast/js/integer-division-neg2tothe32-by-neg1-expected.txt: * fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js: (myDivExpectingInt): Change-Id: Ifd8dd24e75e60520a140c09948dd3ab49aaa3fa8 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139835 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp') diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index d7f7b2fab..96a994059 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -3097,11 +3097,11 @@ void SpeculativeJIT::compileIntegerArithDivForX86(Node& node) speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1))); } else { JITCompiler::Jump zero = m_jit.branchTest32(JITCompiler::Zero, op2GPR); - JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)); + JITCompiler::Jump isNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)); zero.link(&m_jit); m_jit.move(TrustedImm32(0), eax.gpr()); + isNeg2ToThe31.link(&m_jit); done = m_jit.jump(); - notNeg2ToThe31.link(&m_jit); } safeDenominator.link(&m_jit); -- cgit v1.2.1 From 4fa26ee918729063f9b731d801064b22ae7d8fd9 Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 13:58:00 +0200 Subject: Change set r140201 broke editing/selection/move-by-word-visually-multi-line.html https://bugs.webkit.org/show_bug.cgi?id=107340 Reviewed by Filip Pizlo. Due to the change landed in r140201, more nodes might end up generating Int32ToDouble nodes. Therefore, changed the JSVALUE64 constant path of compileInt32ToDouble() to use the more restrictive isInt32Constant() check on the input. This check was the same as the existing ASSERT() so the ASSERT was eliminated. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileInt32ToDouble): Change-Id: I8e9f3858414e37f5b8232a58d8f6f9dada755343 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140221 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp') diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index 96a994059..4f2889b8f 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -2250,8 +2250,7 @@ void SpeculativeJIT::compileInt32ToDouble(Node& node) // than a int->double conversion. On 32_64, unfortunately, we currently don't have // any such mechanism - though we could have it, if we just provisioned some memory // in CodeBlock for the double form of integer constants. - if (at(node.child1()).hasConstant()) { - ASSERT(isInt32Constant(node.child1().index())); + if (isInt32Constant(node.child1().index())) { FPRTemporary result(this); GPRTemporary temp(this); m_jit.move(MacroAssembler::Imm64(reinterpretDoubleToInt64(valueOfNumberConstant(node.child1().index()))), temp.gpr()); -- cgit v1.2.1