[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.1.90-6072-g9a69373
Gustavo Noronha Silva
gns at gnome.org
Thu Apr 8 02:24:17 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit e8f4c1871fcf5678d66ffe0b35f37b1fe1385df6
Author: ggaren at apple.com <ggaren at apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Mon Mar 22 18:33:23 2010 +0000
JavaScriptCore: Fixed <rdar://problem/7728196> REGRESSION (r46701): -(-2147483648)
evaluates to -2147483648 on 32 bit (35842)
Reviewed by Sam Weinig.
Two ways to fix the same bug:
1. Check for overflow when negating, since negating the largest negative
int causes overflow.
2. Constant-fold even when negating a negative, since, like they say in
high school, "math works."
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::branchNeg32):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::branchNeg32): Added a branching version
of the negate operator.
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_negate): Use the branching version of the negate
operator to check for overflow.
(JSC::JIT::emitSlow_op_negate): Link the check for overflow to a slow case.
(We could emit inline code for this, since we know what the result would
be, but that's probably just a waste of generated code.)
* parser/Grammar.y: Constant fold even when negating a negative.
LayoutTests: Added a test for <rdar://problem/7728196> REGRESSION (r46701): -(-2147483648)
evaluates to -2147483648 on 32 bit (35842)
Reviewed by Sam Weinig.
* fast/js/negate-overflow-expected.txt: Added.
* fast/js/negate-overflow.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56348 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JavaScriptCore/ChangeLog b/JavaScriptCore/ChangeLog
index 5f05427..93ef175 100644
--- a/JavaScriptCore/ChangeLog
+++ b/JavaScriptCore/ChangeLog
@@ -1,3 +1,34 @@
+2010-03-22 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Fixed <rdar://problem/7728196> REGRESSION (r46701): -(-2147483648)
+ evaluates to -2147483648 on 32 bit (35842)
+
+ Two ways to fix the same bug:
+
+ 1. Check for overflow when negating, since negating the largest negative
+ int causes overflow.
+
+ 2. Constant-fold even when negating a negative, since, like they say in
+ high school, "math works."
+
+ * assembler/MacroAssemblerARM.h:
+ (JSC::MacroAssemblerARM::branchNeg32):
+ * assembler/MacroAssemblerX86Common.h:
+ (JSC::MacroAssemblerX86Common::branchNeg32): Added a branching version
+ of the negate operator.
+
+ * jit/JITArithmetic.cpp:
+ (JSC::JIT::emit_op_negate): Use the branching version of the negate
+ operator to check for overflow.
+
+ (JSC::JIT::emitSlow_op_negate): Link the check for overflow to a slow case.
+ (We could emit inline code for this, since we know what the result would
+ be, but that's probably just a waste of generated code.)
+
+ * parser/Grammar.y: Constant fold even when negating a negative.
+
2010-03-17 Mike Homey <glandium at debian.org>
Reviewed by Gustavo Noronha.
diff --git a/JavaScriptCore/assembler/MacroAssemblerARM.h b/JavaScriptCore/assembler/MacroAssemblerARM.h
index c41bba5..52c4fa2 100644
--- a/JavaScriptCore/assembler/MacroAssemblerARM.h
+++ b/JavaScriptCore/assembler/MacroAssemblerARM.h
@@ -545,6 +545,13 @@ public:
return Jump(m_assembler.jmp(ARMCondition(cond)));
}
+ Jump branchNeg32(Condition cond, RegisterID srcDest)
+ {
+ ASSERT((cond == Overflow) || (cond == Signed) || (cond == Zero) || (cond == NonZero));
+ neg32(srcDest);
+ return Jump(m_assembler.jmp(ARMCondition(cond)));
+ }
+
Jump branchOr32(Condition cond, RegisterID src, RegisterID dest)
{
ASSERT((cond == Signed) || (cond == Zero) || (cond == NonZero));
diff --git a/JavaScriptCore/assembler/MacroAssemblerX86Common.h b/JavaScriptCore/assembler/MacroAssemblerX86Common.h
index ad733d6..073f563 100644
--- a/JavaScriptCore/assembler/MacroAssemblerX86Common.h
+++ b/JavaScriptCore/assembler/MacroAssemblerX86Common.h
@@ -850,6 +850,13 @@ public:
return Jump(m_assembler.jCC(x86Condition(cond)));
}
+ Jump branchNeg32(Condition cond, RegisterID srcDest)
+ {
+ ASSERT((cond == Overflow) || (cond == Zero) || (cond == NonZero));
+ neg32(srcDest);
+ return Jump(m_assembler.jCC(x86Condition(cond)));
+ }
+
Jump branchOr32(Condition cond, RegisterID src, RegisterID dest)
{
ASSERT((cond == Signed) || (cond == Zero) || (cond == NonZero));
diff --git a/JavaScriptCore/jit/JITArithmetic.cpp b/JavaScriptCore/jit/JITArithmetic.cpp
index 2f2ffe3..5f546e2 100644
--- a/JavaScriptCore/jit/JITArithmetic.cpp
+++ b/JavaScriptCore/jit/JITArithmetic.cpp
@@ -57,8 +57,7 @@ void JIT::emit_op_negate(Instruction* currentInstruction)
Jump srcNotInt = branch32(NotEqual, regT1, Imm32(JSValue::Int32Tag));
addSlowCase(branch32(Equal, regT0, Imm32(0)));
-
- neg32(regT0);
+ addSlowCase(branchNeg32(Overflow, regT0));
emitStoreInt32(dst, regT0, (dst == src));
Jump end = jump();
@@ -79,6 +78,7 @@ void JIT::emitSlow_op_negate(Instruction* currentInstruction, Vector<SlowCaseEnt
unsigned dst = currentInstruction[1].u.operand;
linkSlowCase(iter); // 0 check
+ linkSlowCase(iter); // overflow check
linkSlowCase(iter); // double check
JITStubCall stubCall(this, cti_op_negate);
diff --git a/JavaScriptCore/parser/Grammar.y b/JavaScriptCore/parser/Grammar.y
index 717a266..4d6e7d1 100644
--- a/JavaScriptCore/parser/Grammar.y
+++ b/JavaScriptCore/parser/Grammar.y
@@ -1987,12 +1987,9 @@ static PropertyNode* makeGetterOrSetterPropertyNode(JSGlobalData* globalData, co
static ExpressionNode* makeNegateNode(JSGlobalData* globalData, ExpressionNode* n)
{
if (n->isNumber()) {
- NumberNode* number = static_cast<NumberNode*>(n);
-
- if (number->value() > 0.0) {
- number->setValue(-number->value());
- return number;
- }
+ NumberNode* numberNode = static_cast<NumberNode*>(n);
+ numberNode->setValue(-numberNode->value());
+ return numberNode;
}
return new (globalData) NegateNode(globalData, n);
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 410a0fb..a46adf4 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,13 @@
+2010-03-22 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by Sam Weinig.
+
+ Added a test for <rdar://problem/7728196> REGRESSION (r46701): -(-2147483648)
+ evaluates to -2147483648 on 32 bit (35842)
+
+ * fast/js/negate-overflow-expected.txt: Added.
+ * fast/js/negate-overflow.html: Added.
+
2010-03-19 Chris Marrin <cmarrin at apple.com>
Reviewed by Simon Fraser.
diff --git a/LayoutTests/fast/js/negate-overflow-expected.txt b/LayoutTests/fast/js/negate-overflow-expected.txt
new file mode 100644
index 0000000..e25be8d
--- /dev/null
+++ b/LayoutTests/fast/js/negate-overflow-expected.txt
@@ -0,0 +1,7 @@
+Test for overflow when negating the largest negative signed int.
+
+If the test passes, you'll see a series of PASS messages below.
+
+PASS: x should be 2147483648 and is.
+PASS: y should be 2147483648 and is.
+
diff --git a/LayoutTests/fast/js/negate-overflow.html b/LayoutTests/fast/js/negate-overflow.html
new file mode 100644
index 0000000..5eeff6b
--- /dev/null
+++ b/LayoutTests/fast/js/negate-overflow.html
@@ -0,0 +1,39 @@
+<p>Test for overflow when negating the largest negative signed int.</p>
+<p>If the test passes, you'll see a series of PASS messages below.</p>
+
+<pre id="console"></pre>
+
+<script>
+function $(id)
+{
+ return document.getElementById(id);
+}
+
+function log(s)
+{
+ $("console").appendChild(document.createTextNode(s + "\n"));
+}
+
+function shouldBe(aDescription, a, b)
+{
+ if (a === b) {
+ log("PASS: " + aDescription + " should be " + b + " and is.");
+ } else {
+ log("FAIL: " + aDescription + " should be " + b + " but instead is " + a + ".");
+ }
+}
+
+(function () {
+ if (window.layoutTestController)
+ layoutTestController.dumpAsText();
+
+ // Can be constant-folded by the parser.
+ var x = -(-2147483648);
+ shouldBe("x", x, 2147483648);
+
+ // Can't be constant-folded without dataflow analysis.
+ var y = -2147483648;
+ y = -y;
+ shouldBe("y", y, 2147483648);
+})();
+</script>
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list