JavaScriptCore: Fixed <rdar://problem/7728196> REGRESSION (r46701): -(-2147483648)
evaluates to -2147483648 on 32 bit (35842)
Reviewed by Sam Weinig.
Two ways to fix the same bug:
1. Check for overflow when negating, since negating the largest negative
int causes overflow.
2. Constant-fold even when negating a negative, since, like they say in
high school, "math works."
* assembler/MacroAssemblerARM.h:
(JSC::MacroAssemblerARM::branchNeg32):
* assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::branchNeg32): Added a branching version
of the negate operator.
* jit/JITArithmetic.cpp:
(JSC::JIT::emit_op_negate): Use the branching version of the negate
operator to check for overflow.
(JSC::JIT::emitSlow_op_negate): Link the check for overflow to a slow case.
(We could emit inline code for this, since we know what the result would
be, but that's probably just a waste of generated code.)
* parser/Grammar.y: Constant fold even when negating a negative.
LayoutTests: Added a test for <rdar://problem/7728196> REGRESSION (r46701): -(-2147483648)
evaluates to -2147483648 on 32 bit (35842)
Reviewed by Sam Weinig.
* fast/js/negate-overflow-expected.txt: Added.
* fast/js/negate-overflow.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56348 268f45cc-cd09-0410-ab3c-d52691b4dbfc
8 files changed
