Changeset 56348 in webkit for trunk/JavaScriptCore/parser

Timestamp:

Mar 22, 2010, 11:33:23 AM (15 years ago)

Author:

[email protected]

Message:

JavaScriptCore: Fixed <rdar://problem/7728196> REGRESSION (r46701): -(-2147483648)
evaluates to -2147483648 on 32 bit (35842)

Reviewed by Sam Weinig.

Two ways to fix the same bug:

1. Check for overflow when negating, since negating the largest negative

int causes overflow.

2. Constant-fold even when negating a negative, since, like they say in

high school, "math works."

• assembler/MacroAssemblerARM.h:

(JSC::MacroAssemblerARM::branchNeg32):

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::branchNeg32): Added a branching version
of the negate operator.

• jit/JITArithmetic.cpp:

(JSC::JIT::emit_op_negate): Use the branching version of the negate
operator to check for overflow.

(JSC::JIT::emitSlow_op_negate): Link the check for overflow to a slow case.
(We could emit inline code for this, since we know what the result would
be, but that's probably just a waste of generated code.)

• parser/Grammar.y: Constant fold even when negating a negative.

LayoutTests: Added a test for <rdar://problem/7728196> REGRESSION (r46701): -(-2147483648)
evaluates to -2147483648 on 32 bit (35842)

Reviewed by Sam Weinig.

• fast/js/negate-overflow-expected.txt: Added.
• fast/js/negate-overflow.html: Added.

File:

• trunk/JavaScriptCore/parser/Grammar.y (modified) (1 diff)

trunk/JavaScriptCore/parser/Grammar.y

@@ -1988 +1988 @@
 {
     if (n->isNumber()) {
-        NumberNode* number = static_cast<NumberNode*>(n);
-
-        if (number->value() > 0.0) {
-            number->setValue(-number->value());
-            return number;
-        }
+        NumberNode* numberNode = static_cast<NumberNode*>(n);
+        numberNode->setValue(-numberNode->value());
+        return numberNode;
     }