[INFER] Allocate temp register for JSOP_DIV integer check, bug 639459, r=bhackett
authorJan de Mooij <jandemooij@gmail.com>
Mon, 07 Mar 2011 06:58:07 -0800
changeset 74725 82b01abdfd9270c46c463efd7047e964f760c202
parent 74724 37ab40cd90adc157137e4571cc7003696cef6519
child 74726 1dab51bde3f124d8503acf14c7b9320abf3bca8d
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
reviewersbhackett
bugs639459
milestone2.0b12pre
[INFER] Allocate temp register for JSOP_DIV integer check, bug 639459, r=bhackett
js/src/assembler/assembler/MacroAssemblerX86Common.h
js/src/jit-test/tests/jaeger/bug639459.js
js/src/methodjit/FastArithmetic.cpp
--- a/js/src/assembler/assembler/MacroAssemblerX86Common.h
+++ b/js/src/assembler/assembler/MacroAssemblerX86Common.h
@@ -685,16 +685,17 @@ public:
 
     // Convert 'src' to an integer, and places the resulting 'dest'.
     // If the result is not representable as a 32 bit value, branch.
     // May also branch for some values that are representable in 32 bits
     // (specifically, in this case, 0).
     void branchConvertDoubleToInt32(FPRegisterID src, RegisterID dest, JumpList& failureCases, FPRegisterID fpTemp)
     {
         ASSERT(isSSE2Present());
+        ASSERT(src != fpTemp); 
         m_assembler.cvttsd2si_rr(src, dest);
 
         // If the result is zero, it might have been -0.0, and the double comparison won't catch this!
         failureCases.append(branchTest32(Zero, dest));
 
         // Convert the integer result back to float & compare to the original value - if not equal or unordered (NaN) then jump.
         convertInt32ToDouble(dest, fpTemp);
         m_assembler.ucomisd_rr(fpTemp, src);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug639459.js
@@ -0,0 +1,6 @@
+function f() {
+    var a = [].length;
+    return a / a;
+}
+assertEq(f(), NaN);
+
--- a/js/src/methodjit/FastArithmetic.cpp
+++ b/js/src/methodjit/FastArithmetic.cpp
@@ -353,23 +353,25 @@ mjit::Compiler::jsop_binary_double(Frame
      * Skip this for 1/x or -1/x, as the result is unlikely to fit in an int.
      */
     if (op == JSOP_DIV &&
         (type == JSVAL_TYPE_INT32 ||
          (type == JSVAL_TYPE_UNKNOWN &&
           !(lhs->isConstant() && lhs->isType(JSVAL_TYPE_INT32) &&
             abs(lhs->getValue().toInt32()) == 1)))) {
         RegisterID reg = frame.allocReg();
+        FPRegisterID fpReg = frame.allocFPReg();
         JumpList isDouble;
-        masm.branchConvertDoubleToInt32(fpLeft, reg, isDouble, fpRight);
+        masm.branchConvertDoubleToInt32(fpLeft, reg, isDouble, fpReg);
         
         masm.storeValueFromComponents(ImmType(JSVAL_TYPE_INT32), reg,
                                       frame.addressOf(lhs));
         
         frame.freeReg(reg);
+        frame.freeReg(fpReg);
         done.setJump(masm.jump());
 
         isDouble.linkTo(masm.label(), &masm);
     }
 
     if (type == JSVAL_TYPE_INT32) {
         /*
          * Integer conversion failed, but the result is expected to be an integer.