[Webkit-unassigned] [Bug 213307] REGRESSION(r263035): stress/get-prototype-of.js broken on s390x
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 23 15:55:32 PDT 2020
https://bugs.webkit.org/show_bug.cgi?id=213307
--- Comment #5 from Michael Catanzaro <mcatanzaro at gnome.org> ---
(In reply to Alexey Shvayka from comment #4)
> Thank you for detailed report, Michael!
>
> Looks like LLInt fast path check
> (https://trac.webkit.org/browser/webkit/trunk/Source/JavaScriptCore/llint/
> LowLevelInterpreter64.asm?rev=263044#L1506) doesn't perform as intended.
So the failing line is:
btinz Structure::m_outOfLineTypeFlags[t2], OverridesGetPrototypeOutOfLine, .opGetPrototypeOfSlow
I see in cloop.rb that btinz tests whether a 32-bit integer is nonzero. I also see in JSTypeInfo.h that OutOfLineTypeFlags is a 16-bit integer, so Structure::m_outOfLineTypeFlags is an array of 16-bit integers. This worries me a bit, but I don't understand the code or llint asm well enough to know whether that's actually a problem.
> Is it possible that bit shift in declaration of
> OverridesGetPrototypeOutOfLine
> (https://trac.webkit.org/browser/webkit/trunk/Source/JavaScriptCore/runtime/
> JSTypeInfo.h?rev=263044#L69) is at fault?
I'm not sure. I don't see why it would be unsafe, since those shifts are operating on 32-bit integers and shift fewer than 32 bits. Is there something you'd like me to change to test it?
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200623/1707bd63/attachment.htm>
More information about the webkit-unassigned
mailing list