Fix overflow when subtracting -2^31 (bug 610652, r=dmandelin).

2024-11-01 14:45:29 +00:00 · 2010-11-12 17:55:11 -08:00 · 2010-11-12 17:55:11 -08:00 · 626345489f
commit 626345489f
parent af5cc74416
2 changed files with 11 additions and 0 deletions
--- a/js/src/jit-test/tests/jaeger/bug610652.js
+++ b/js/src/jit-test/tests/jaeger/bug610652.js
@ -0,0 +1,5 @@
+function a1(a2) {
+    return 10 - a2;
+}
+a3 = a1(-2147483648);
+assertEq(a3, 2147483658);
--- a/js/src/methodjit/FastArithmetic.cpp
+++ b/js/src/methodjit/FastArithmetic.cpp
@ -558,6 +558,7 @@ mjit::Compiler::jsop_binary_full(FrameEntry *lhs, FrameEntry *rhs, JSOp op, Void
    int32 value = 0;
    JSOp origOp = op;
    MaybeRegisterID reg;
+    MaybeJump preOverflow;
    if (!regs.resultHasRhs) {
        if (!regs.rhsData.isSet())
            value = rhs->getValue().toInt32();
@ -569,6 +570,9 @@ mjit::Compiler::jsop_binary_full(FrameEntry *lhs, FrameEntry *rhs, JSOp op, Void
        else
            reg = regs.lhsData.reg();
        if (op == JSOP_SUB) {
+            // If the RHS is 0x80000000, the smallest negative value, neg does
+            // not work. Guard against this and treat it as an overflow.
+            preOverflow = masm.branch32(Assembler::Equal, regs.result, Imm32(0x80000000));
            masm.neg32(regs.result);
            op = JSOP_ADD;
        }
@ -658,6 +662,8 @@ mjit::Compiler::jsop_binary_full(FrameEntry *lhs, FrameEntry *rhs, JSOp op, Void
     * know never to try and convert back to integer.
     */
    MaybeJump overflowDone;
+    if (preOverflow.isSet())
+        stubcc.linkExitDirect(preOverflow.get(), stubcc.masm.label());
    stubcc.linkExitDirect(overflow.get(), stubcc.masm.label());
    {
        if (regs.lhsNeedsRemat) {