100896 2012-10-31 15:17:04 -0700 JSC: 64-bit llint PC offset can be negative: using an unsigned rshift is a bug. 2012-10-31 15:43:28 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 97586 1 mark.lam mark.lam fpizlo ggaren oldest_to_newest 755664 0 mark.lam 2012-10-31 15:17:04 -0700 The 64-bit llint keeps the PC as an offset into the bytecode instead of an address. When calling out to C++ slow paths, the llint converts the PC to an address before the call, and converts it back to an offset after returning from the call. Given that the PC may be pointing to a glue trampoline outside of the current bytecode, the resultant offset can be negative. The shift operation there is used to divide the offset by 8 so that it becomes a bytecode Opcode offset instead of a byte offset. If the original byte offset is negative, we need to do this shift with a regular rshift instead of the unsigned urshift. The urshift will convert the negative offset into an erroneously large positive offset. Using an rshift will do the right thing and divide the offset by 8. 755680 1 171731 mark.lam 2012-10-31 15:36:00 -0700 Created attachment 171731 Fix. 755685 2 mark.lam 2012-10-31 15:42:53 -0700 Landed in r133089: <http://trac.webkit.org/changeset/133089>. 171731 2012-10-31 15:36:00 -0700 2012-10-31 15:37:37 -0700 Fix. bug-100896.patch text/plain 1540 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTMzMDg2KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE0IEBA CisyMDEyLTEwLTMxICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICA2 NC1iaXQgbGxpbnQgUEMgb2Zmc2V0IGNhbiBiZSBuZWdhdGl2ZTogdXNpbmcgYW4gdW5zaWduZWQg c2hpZnQgaXMgYSBidWcuCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVn LmNnaT9pZD0xMDA4OTYuCisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisK KyAgICAgICAgRml4ZWQgdGhlIFBDIG9mZnNldCBkaXZpc2lvbnMgaW4gdGhlIDY0LWJpdCBsbGlu dCBhc20gdG8gdXNlIHJzaGlmdCBpbnN0ZWFkIG9mIHVyc2hpZnQuCisKKyAgICAgICAgKiBsbGlu dC9Mb3dMZXZlbEludGVycHJldGVyNjQuYXNtOgorCiAyMDEyLTEwLTMwICBZdXFpYW5nIFhpYW4g IDx5dXFpYW5nLnhpYW5AaW50ZWwuY29tPgogCiAgICAgICAgIGdsc2wtZnVuY3Rpb24tYXRhbi5o dG1sIFdlYkdMIGNvbmZvcm1hbmNlIHRlc3QgZmFpbHMgYWZ0ZXIgaHR0cHM6Ly9idWdzLndlYmtp dC5vcmcvc2hvd19idWcuY2dpP2lkPTk5MTU0CkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUv bGxpbnQvTG93TGV2ZWxJbnRlcnByZXRlcjY0LmFzbQo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2UvSmF2 YVNjcmlwdENvcmUvbGxpbnQvTG93TGV2ZWxJbnRlcnByZXRlcjY0LmFzbQkocmV2aXNpb24gMTMz MDc1KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2xsaW50L0xvd0xldmVsSW50ZXJwcmV0ZXI2 NC5hc20JKHdvcmtpbmcgY29weSkKQEAgLTg3LDcgKzg3LDcgQEAgbWFjcm8gcmVzdG9yZVN0YXRl QWZ0ZXJDQ2FsbCgpCiAgICAgbW92ZSB0MSwgY2ZyCiAgICAgbW92ZSB0MywgUEIKICAgICBzdWJw IFBCLCBQQwotICAgIHVyc2hpZnRwIDMsIFBDCisgICAgcnNoaWZ0cCAzLCBQQwogZW5kCiAKIG1h Y3JvIGNhbGxTbG93UGF0aChzbG93UGF0aCkKQEAgLTE1MjUsNyArMTUyNSw3IEBAIF9sbGludF9v cF9jYXRjaDoKICAgICBsb2FkcCBKSVRTdGFja0ZyYW1lOjpnbG9iYWxEYXRhW3NwXSwgdDMKICAg ICBsb2FkcCBKU0dsb2JhbERhdGE6OnRhcmdldEludGVycHJldGVyUENGb3JUaHJvd1t0M10sIFBD CiAgICAgc3VicCBQQiwgUEMKLSAgICB1cnNoaWZ0cCAzLCBQQworICAgIHJzaGlmdHAgMywgUEMK ICAgICBsb2FkcCBKU0dsb2JhbERhdGE6OmV4Y2VwdGlvblt0M10sIHQwCiAgICAgc3RvcmVwIDAs IEpTR2xvYmFsRGF0YTo6ZXhjZXB0aW9uW3QzXQogICAgIGxvYWRpcyA4W1BCLCBQQywgOF0sIHQy Cg==