[Webkit-unassigned] [Bug 100896] New: JSC: 64-bit llint "urshiftp 3, PC" should be "rshiftp 3, PC"
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Oct 31 15:15:44 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=100896
Summary: JSC: 64-bit llint "urshiftp 3, PC" should be "rshiftp
3, PC"
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: mark.lam at apple.com
The 64-bit llint keeps the PC as an offset into the bytecode instead of an address. When calling out to C++ slow paths, the llint converts the PC to an address before the call, and converts it back to an offset after returning from the call. Given that the PC may be pointing to a glue trampoline outside of the current bytecode, the resultant offset can be negative.
The shift operation there is used to divide the offset by 8 so that it becomes a bytecode Opcode offset instead of a byte offset. If the original byte offset is negative, we need to do this shift with a regular rshift instead of the unsigned urshift. The urshift will convert the negative offset into an erroneously large positive offset. Using an rshift will do the right thing and divide the offset by 8.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list