Division optimizations fail to infer cases of truncated division and
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Mar 2012 05:15:50 +0000 (05:15 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Mar 2012 05:15:50 +0000 (05:15 +0000)
commitc44a4c4963ec12521c4428c5df0a3bce77c78743
tree66bd6b0ea781c3e7320fc64f2a8cc461f4e3ca4c
parent98f9066cd4a069421878b06221abc0f26b5b46e9
Division optimizations fail to infer cases of truncated division and
mishandle -2147483648/-1
https://bugs.webkit.org/show_bug.cgi?id=81428
<rdar://problem/11067382>

Reviewed by Oliver Hunt.

If you're a division over integers and you're only used as an integer, then you're
an integer division and remainder checks become unnecessary. If you're dividing
-2147483648 by -1, don't crash.

* assembler/MacroAssemblerX86Common.h:
(MacroAssemblerX86Common):
(JSC::MacroAssemblerX86Common::add32):
* dfg/DFGSpeculativeJIT.cpp:
(DFG):
(JSC::DFG::SpeculativeJIT::compileIntegerArithDivForX86):
* dfg/DFGSpeculativeJIT.h:
(SpeculativeJIT):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* llint/LowLevelInterpreter64.asm:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@111355 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
Source/JavaScriptCore/llint/LowLevelInterpreter64.asm