[Webkit-unassigned] [Bug 39034] New: String Indexing Failure on JSVALUE32 targets
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed May 12 17:00:44 PDT 2010
https://bugs.webkit.org/show_bug.cgi?id=39034
Summary: String Indexing Failure on JSVALUE32 targets
Product: WebKit
Version: 528+ (Nightly build)
Platform: Other
OS/Version: Linux
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: fu at mips.com
>From today's testing, I got two regressions on MIPS.
ecma_3/Date/15.9.5.4.js
ecma_3/Function/regress-58274.js
2 regressions found.
0 tests fixed.
The string access is not correct, if I access from the beginning a[0], a[1], a[2], ....
Ex 1:
# ./jsc
> a="01"
01
> a[0]
0
> a[1]
0 <--- THIS IS WRONG!
> a[2]
undefined
Ex 2:
# ./jsc
> a="01"
01
> a[2]
undefined
> a[1]
1 <--- THIS IS CORRECT!
> a[0]
0
From debugging, I think the code in JIT::stringGetByValStubGenerator() may contain redundant code.
Ex:
...
#if USE(JSVALUE64)
jit.zeroExtend32ToPtr(regT1, regT1);
#else
jit.emitFastArithImmToInt(regT1);
#endif
...
The same code appears in "JIT::emit_op_get_by_val()". So, we may execute one more time in stringGetByValStubGenerator().
I need to comment out jit.emitFastArithImmToInt(regT1) for MIPS to fix two new regressions. Otherwise, regT1 is shifted right by 1 bit (twice) and the index to a string is wrong.
I will post a patch soon. Thanks a lot!
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list