From 2b0df4da82232840f306823d67c37480bf3c85e5 Mon Sep 17 00:00:00 2001
From: Benjamin Bouvier <benj@benj.me>
Date: Tue, 27 May 2014 11:31:38 +0200
Subject: [PATCH] Bug 1015656: Fix overflows on ARM's ceil inline
 implementation; r=mjrosenb

---
 js/src/jit-test/tests/ion/ceil.js     | 6 ++++++
 js/src/jit/arm/MacroAssembler-arm.cpp | 6 ++++--
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/js/src/jit-test/tests/ion/ceil.js b/js/src/jit-test/tests/ion/ceil.js
index ecb4f37f814e..203e354930dc 100644
--- a/js/src/jit-test/tests/ion/ceil.js
+++ b/js/src/jit-test/tests/ion/ceil.js
@@ -47,6 +47,7 @@ function testBailout(value) {
 
 var INT_MAX = Math.pow(2, 31) - 1;
 var INT_MIN = INT_MAX + 1 | 0;
+var UINT_MAX = Math.pow(2, 32) - 1;
 
 // Values in ]-1; -0]
 testBailout(-0);
@@ -55,5 +56,10 @@ testBailout(-.5);
 // single precision
 testBailout(INT_MAX + .5);
 testBailout(INT_MIN - 129);
+// (UINT_MAX; +inf] have special behavior on ARM
+testBailout(UINT_MAX);
+testBailout(UINT_MAX + .5);
+testBailout(UINT_MAX + 1);
+testBailout(UINT_MAX + 2);
 // BatNaN
 testBailout(NaN);
diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp
index 78bcec6c4804..22a3ece6cae3 100644
--- a/js/src/jit/arm/MacroAssembler-arm.cpp
+++ b/js/src/jit/arm/MacroAssembler-arm.cpp
@@ -4229,9 +4229,10 @@ MacroAssemblerARMCompat::ceil(FloatRegister input, Register output, Label *bail)
     ma_vcvt_U32_F64(ScratchFloatReg, ScratchFloatReg);
     compareDouble(ScratchFloatReg, input);
     ma_add(output, Imm32(1), output, NoSetCond, NotEqual);
-    // Bail out if the add overflowed or the result is negative
+    // Bail out if the add overflowed or the result is non positive
     ma_mov(output, output, SetCond);
     ma_b(bail, Signed);
+    ma_b(bail, Zero);
 
     bind(&fin);
 }
@@ -4280,9 +4281,10 @@ MacroAssemblerARMCompat::ceilf(FloatRegister input, Register output, Label *bail
     ma_vcvt_U32_F32(ScratchFloatReg, ScratchFloatReg);
     compareFloat(ScratchFloatReg, input);
     ma_add(output, Imm32(1), output, NoSetCond, NotEqual);
-    // Bail out if the add overflowed or the result is negative
+    // Bail out if the add overflowed or the result is non positive
     ma_mov(output, output, SetCond);
     ma_b(bail, Signed);
+    ma_b(bail, Zero);
 
     bind(&fin);
 }