[Webkit-unassigned] [Bug 39034] New: String Indexing Failure on JSVALUE32 targets

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed May 12 17:00:44 PDT 2010


https://bugs.webkit.org/show_bug.cgi?id=39034

           Summary: String Indexing Failure on JSVALUE32 targets
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: fu at mips.com


>From today's testing, I got two regressions on MIPS.
        ecma_3/Date/15.9.5.4.js
        ecma_3/Function/regress-58274.js

2 regressions found.
0 tests fixed.

  The string access is not correct, if I access from the beginning a[0], a[1], a[2], ....
Ex 1:
# ./jsc
> a="01"
01
> a[0]
0
> a[1]
0 <--- THIS IS WRONG!
> a[2]
undefined

Ex 2:
# ./jsc
> a="01"
01
> a[2]
undefined
> a[1]
1 <--- THIS IS CORRECT!
> a[0]
0

  From debugging, I think the code in JIT::stringGetByValStubGenerator() may contain redundant code.
Ex:
...
#if USE(JSVALUE64)
    jit.zeroExtend32ToPtr(regT1, regT1);
#else
    jit.emitFastArithImmToInt(regT1);
#endif
...

  The same code appears in "JIT::emit_op_get_by_val()".  So, we may execute one more time in stringGetByValStubGenerator().

  I need to comment out jit.emitFastArithImmToInt(regT1) for MIPS to fix two new regressions.  Otherwise, regT1 is shifted right by 1 bit (twice) and the index to a string is wrong.

  I will post a patch soon.  Thanks a lot!

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list