Context Navigation

Changeset 93298 in webkit

Timestamp:

Aug 18, 2011 4:47:26 AM (13 years ago)

Author:

fpizlo@apple.com

Message:

[jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
https://bugs.webkit.org/show_bug.cgi?id=66426

Source/JavaScriptCore:

Reviewed by Oliver Hunt.

Changed the branchTestPtr to branchTest32.

(JSC::DFG::SpeculativeJIT::compile):

LayoutTests:

Reviewed by Oliver Hunt.

Added a trivial test of mod-by-zero, which fails with the previous version
of the DFG speculative JIT.

(mod):

Location:

trunk

Files:

-                      r93293
+                      r93298
+-08-18  Filip Pizlo  <fpizlo@apple.com>
+        [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=66426
+        Reviewed by Oliver Hunt.
+        Added a trivial test of mod-by-zero, which fails with the previous version
+        of the DFG speculative JIT.
+        * fast/js/mod-by-zero-expected.txt: Added.
+        * fast/js/mod-by-zero.html: Added.
+        * fast/js/script-tests/mod-by-zero.js: Added.
+        (mod):
 -08-18  Steve Block  <steveblock@google.com>

-                      r93277
+                      r93298
+-08-18  Filip Pizlo  <fpizlo@apple.com>
+        [jsfunfuzz] DFG speculative JIT does divide-by-zero checks incorrectly
+        https://bugs.webkit.org/show_bug.cgi?id=66426
+        Reviewed by Oliver Hunt.
+        Changed the branchTestPtr to branchTest32.
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
 -08-17  Thouraya ANDOLSI  <thouraya.andolsi@st.com>

r93010	r93298
813	813	GPRReg op2Gpr = op2.gpr();
814	814
815		speculationCheck(m_jit.branchTest~~Ptr~~(JITCompiler::Zero, op2Gpr));
	815	speculationCheck(m_jit.branchTest32(JITCompiler::Zero, op2Gpr));
816	816
817	817	GPRReg temp2 = InvalidGPRReg;

Note: See TracChangeset for help on using the changeset viewer.