<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - [mips] fix offsets of branches that have to go over a jump"
href="https://bugs.webkit.org/show_bug.cgi?id=153464">153464</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[mips] fix offsets of branches that have to go over a jump
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Other
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>guijemont@igalia.com
</td>
</tr></table>
<p>
<div>
<pre>The jump() function creates 8 instructions, but the offsets of branches
meant to go over them only account for 6. In most cases, this is not an
issue as the last two instructions of jump() would be nops, but in the
rarer case where the jump destination is in a different 256 MB segment,
MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
the last 4 instructions would be a 2 instruction load (lui/ori) into
$t9, a "j $t9" and then a nop. The wrong offset will mean that the
previous branches meant to go over the whole jump will branch to the
"j $t9" instruction, which would jump to whatever is currently in $t9
(since lui/ori would not be executed).</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>