Ignore:
Timestamp:
Aug 18, 2011, 4:47:26 AM (14 years ago)
Author:
[email protected]
Message:

[jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
https://bugs.webkit.org/show_bug.cgi?id=66426

Source/JavaScriptCore:

Reviewed by Oliver Hunt.

Changed the branchTestPtr to branchTest32.

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

Reviewed by Oliver Hunt.

Added a trivial test of mod-by-zero, which fails with the previous version
of the DFG speculative JIT.

  • fast/js/mod-by-zero-expected.txt: Added.
  • fast/js/mod-by-zero.html: Added.
  • fast/js/script-tests/mod-by-zero.js: Added.

(mod):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r93010 r93298  
    813813        GPRReg op2Gpr = op2.gpr();
    814814
    815         speculationCheck(m_jit.branchTestPtr(JITCompiler::Zero, op2Gpr));
     815        speculationCheck(m_jit.branchTest32(JITCompiler::Zero, op2Gpr));
    816816
    817817        GPRReg temp2 = InvalidGPRReg;
Note: See TracChangeset for help on using the changeset viewer.