Ignore:
Timestamp:
Mar 19, 2012, 10:15:50 PM (13 years ago)
Author:
[email protected]
Message:

Division optimizations fail to infer cases of truncated division and
mishandle -2147483648/-1
https://bugs.webkit.org/show_bug.cgi?id=81428
<rdar://problem/11067382>

Reviewed by Oliver Hunt.

If you're a division over integers and you're only used as an integer, then you're
an integer division and remainder checks become unnecessary. If you're dividing
-2147483648 by -1, don't crash.

  • assembler/MacroAssemblerX86Common.h:

(MacroAssemblerX86Common):
(JSC::MacroAssemblerX86Common::add32):

  • dfg/DFGSpeculativeJIT.cpp:

(DFG):
(JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):

  • dfg/DFGSpeculativeJIT.h:

(SpeculativeJIT):

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • llint/LowLevelInterpreter64.asm:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm

    r110383 r111355  
    595595            # Assume t3 is scratchable.
    596596            btiz left, slow
     597            bineq left, -1, .notNeg2TwoThe31DivByNeg1
     598            bieq right, -2147483648, .slow
     599        .notNeg2TwoThe31DivByNeg1:
    597600            btinz right, .intOK
    598601            bilt left, 0, slow
Note: See TracChangeset for help on using the changeset viewer.