From e0892c4f8d16204aa21b9915b457ab23ae1df37c Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 12:15:35 +0200 Subject: DFG X86: division in the used-as-int case doesn't correctly check for -2^31/-1 https://bugs.webkit.org/show_bug.cgi?id=106978 Reviewed by Filip Pizlo. Source/JavaScriptCore: Changed the numerator equal to -2^31 check to just return if we expect an integer result, since the check is after we have determined that the denominator is -1. The int result of -2^31 / -1 is -2^31, so just return the numerator as the result. * dfg/DFGSpeculativeJIT.cpp: (JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86): LayoutTests: Added a new DFG check for -2^31 / -1 when we expect and integer result. * fast/js/integer-division-neg2tothe32-by-neg1-expected.txt: * fast/js/script-tests/integer-division-neg2tothe32-by-neg1.js: (myDivExpectingInt): Change-Id: Ifd8dd24e75e60520a140c09948dd3ab49aaa3fa8 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@139835 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Source/JavaScriptCore') diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index d7f7b2fab..96a994059 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -3097,11 +3097,11 @@ void SpeculativeJIT::compileIntegerArithDivForX86(Node& node) speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1))); } else { JITCompiler::Jump zero = m_jit.branchTest32(JITCompiler::Zero, op2GPR); - JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)); + JITCompiler::Jump isNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)); zero.link(&m_jit); m_jit.move(TrustedImm32(0), eax.gpr()); + isNeg2ToThe31.link(&m_jit); done = m_jit.jump(); - notNeg2ToThe31.link(&m_jit); } safeDenominator.link(&m_jit); -- cgit v1.2.1