[Webkit-unassigned] [Bug 117542] ARM JSC negative zero check missing from compileSoftModulo() after r149152
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Jun 12 10:13:04 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=117542
--- Comment #3 from Roman Zhuykov <zhroma at ispras.ru> 2013-06-12 10:11:40 PST ---
We shouldn't enable negative-zero check like "result == 0" back.
Now the assembly code tries to check correct condition "dividend < 0 && result == 0", but does it wrong, because op1GPR register (where dividend is stored) is clobbered while calling operationFModOnInts() and fmod() functions.
I have tried this patch, but the new temporary register is also clobbered:
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -3047,9 +3047,11 @@ void SpeculativeJIT::compileSoftModulo(Node* node)
// and then attempt to convert back.
GPRReg op1GPR = op1.gpr();
GPRReg op2GPR = op2.gpr();
+ GPRTemporary op1Save(this);
FPRResult result(this);
+ m_jit.move(op1GPR, op1Save.gpr());
flushRegisters();
callOperation(operationFModOnInts, result.fpr(), op1GPR, op2GPR);
@@ -3060,7 +3062,7 @@ void SpeculativeJIT::compileSoftModulo(Node* node)
speculationCheck(Overflow, JSValueRegs(), 0, failureCases);
if (!nodeCanIgnoreNegativeZero(node->arithNodeFlags())) {
// Check that we're not about to create negative zero.
- JITCompiler::Jump numeratorPositive = m_jit.branch32(JITCompiler::GreaterThanOrEqual, op1GPR, TrustedImm32(0));
+ JITCompiler::Jump numeratorPositive = m_jit.branch32(JITCompiler::GreaterThanOrEqual, op1Save.gpr(), TrustedImm32(0));
speculationCheck(NegativeZero, JSValueRegs(), 0, m_jit.branchTest32(JITCompiler::Zero, intResult.gpr()));
numeratorPositive.link(&m_jit);
}
I don't know what is a proper way to save dividend value for negative-zero checks.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list