[Webkit-unassigned] [Bug 47356] New: ARM JIT generates undefined operations due to partially uninitialized ShiftTypeAndAmount

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Oct 7 09:50:24 PDT 2010


https://bugs.webkit.org/show_bug.cgi?id=47356

           Summary: ARM JIT generates undefined operations due to
                    partially uninitialized ShiftTypeAndAmount
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Other
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: david_goodwin at apple.com


The generated instructions include operations like:

    ebb08f0c    undefined

which should be:

    ebb00f0c    cmp.w    r0, ip

Note the 1-bit difference. This comes from high-order shift-amount bit which must be 0 in cmp and many other operations (apparently the undefined behavior when this is 1 is to just ignore the 1 and do the right thing, I assume that is why we aren't seeing any actual failure because of this). This stems from ShiftTypeAndAmount which stores shift type and amount as:

    union {
        struct {
            unsigned lo4 : 4;
            unsigned hi4 : 4;
        };
        struct {
            unsigned type   : 2;
            unsigned amount : 5;
        };
    } m_u;

Objects of this type are initialized with type = amount = 0, but note that this does not clear all hi4 bits. The attached patch increases amount to 6 bits to fix (we already ensure that the amount value is > 32).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list