On ARM64, DFG::SpeculativeJIT::compileArithMod() failed to ensure result is of DataFo...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Apr 2017 03:50:07 +0000 (03:50 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 5 Apr 2017 03:50:07 +0000 (03:50 +0000)
commitaeea7b398a5ad25e4ff6267785c57a1f59bb45e0
tree0f8a9f590fee711ccfb0b98695523c70c3ee2603
parent4356f3e49dedfa333264c748ea080d7d49581d40
On ARM64, DFG::SpeculativeJIT::compileArithMod() failed to ensure result is of DataFormatInt32.
https://bugs.webkit.org/show_bug.cgi?id=170473
<rdar://problem/29912391>

Reviewed by Saam Barati.

JSTests:

* stress/regress-170473.js: Added.

Source/JavaScriptCore:

In Unchecked mode, when DFG::SpeculativeJIT::compileArithMod() detects that the
divisor is 0, we want it to return 0.  The result is expected to be of
DataFormatIn32.

The ARM implementation just returns the value in the divisor register.  However,
the divisor in this case can be of DataFormatJSInt32.  On ARM64, returning the
divisor register yields the wrong result format because the same register also
holds the upper 32-bit of the JSValue encoding.  The fix is to return an
immediate 0 instead.

Also turned on the assertion in jitAssertIsInt32 for ARM64.  This assertion being
disabled may have contributed to this bug going unnoticed all this time.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithMod):
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::jitAssertIsInt32):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@214927 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-170473.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/jit/AssemblyHelpers.cpp