Changeset 93298 in webkit for trunk/Source/JavaScriptCore


Ignore:
Timestamp:
Aug 18, 2011, 4:47:26 AM (14 years ago)
Author:
[email protected]
Message:

[jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
https://bugs.webkit.org/show_bug.cgi?id=66426

Source/JavaScriptCore:

Reviewed by Oliver Hunt.

Changed the branchTestPtr to branchTest32.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

Reviewed by Oliver Hunt.

Added a trivial test of mod-by-zero, which fails with the previous version
of the DFG speculative JIT.

  • fast/js/mod-by-zero-expected.txt: Added.
  • fast/js/mod-by-zero.html: Added.
  • fast/js/script-tests/mod-by-zero.js: Added.

(mod):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r93277 r93298  
     12011-08-18  Filip Pizlo  <[email protected]>
     2
     3        [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
     4        https://bugs.webkit.org/show_bug.cgi?id=66426
     5
     6        Reviewed by Oliver Hunt.
     7       
     8        Changed the branchTestPtr to branchTest32.
     9
     10        * dfg/DFGSpeculativeJIT.cpp:
     11        (JSC::DFG::SpeculativeJIT::compile):
     12
    1132011-08-17  Thouraya ANDOLSI  <[email protected]>
    214

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r93010 r93298  
    813813        GPRReg op2Gpr = op2.gpr();
    814814
    815         speculationCheck(m_jit.branchTestPtr(JITCompiler::Zero, op2Gpr));
     815        speculationCheck(m_jit.branchTest32(JITCompiler::Zero, op2Gpr));
    816816
    817817        GPRReg temp2 = InvalidGPRReg;
Note: See TracChangeset for help on using the changeset viewer.