39034 2010-05-12 17:00:44 -0700 String Indexing Failure on JSVALUE32 targets 2010-05-14 05:40:08 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Other Linux RESOLVED FIXED P2 Normal --- 0 fu webkit-unassigned commit-queue oldest_to_newest 224985 0 fu 2010-05-12 17:00:44 -0700 From today's testing, I got two regressions on MIPS. ecma_3/Date/15.9.5.4.js ecma_3/Function/regress-58274.js 2 regressions found. 0 tests fixed. The string access is not correct, if I access from the beginning a[0], a[1], a[2], .... Ex 1: # ./jsc > a="01" 01 > a[0] 0 > a[1] 0 <--- THIS IS WRONG! > a[2] undefined Ex 2: # ./jsc > a="01" 01 > a[2] undefined > a[1] 1 <--- THIS IS CORRECT! > a[0] 0 From debugging, I think the code in JIT::stringGetByValStubGenerator() may contain redundant code. Ex: ... #if USE(JSVALUE64) jit.zeroExtend32ToPtr(regT1, regT1); #else jit.emitFastArithImmToInt(regT1); #endif ... The same code appears in "JIT::emit_op_get_by_val()". So, we may execute one more time in stringGetByValStubGenerator(). I need to comment out jit.emitFastArithImmToInt(regT1) for MIPS to fix two new regressions. Otherwise, regT1 is shifted right by 1 bit (twice) and the index to a string is wrong. I will post a patch soon. Thanks a lot! 225031 1 55924 fu 2010-05-12 18:26:56 -0700 Created attachment 55924 Remove zero-extend/shift-right on regT1 Tested it on MIPS. 0 regressions found. 0 tests fixed. OK. For other platforms, people need to test it. Thanks! 225041 2 55924 oliver 2010-05-12 18:39:13 -0700 Comment on attachment 55924 Remove zero-extend/shift-right on regT1 r=me 225768 3 55924 commit-queue 2010-05-14 05:40:04 -0700 Comment on attachment 55924 Remove zero-extend/shift-right on regT1 Clearing flags on attachment: 55924 Committed r59469: <http://trac.webkit.org/changeset/59469> 225769 4 commit-queue 2010-05-14 05:40:08 -0700 All reviewed patches have been landed. Closing bug. 55924 2010-05-12 18:26:56 -0700 2010-05-14 05:40:03 -0700 Remove zero-extend/shift-right on regT1 jit.diff text/plain 1514 fu SW5kZXg6IEphdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwo9PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0 Q29yZS9DaGFuZ2VMb2cJKHJldmlzaW9uIDU5MzMyKQorKysgSmF2YVNjcmlwdENvcmUvQ2hhbmdl TG9nCSh3b3JraW5nIGNvcHkpCkBAIC0xLDMgKzEsMTYgQEAKKzIwMTAtMDUtMTIgIENoYW8teWlu ZyBGdSAgPGZ1QG1pcHMuY29tPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEp LgorCisgICAgICAgIFN0cmluZyBJbmRleGluZyBGYWlsdXJlIG9uIEpTVkFMVUUzMiB0YXJnZXRz CisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0zOTAzNAor CisgICAgICAgIFJlbW92ZSB6ZXJvLWV4dGVuZC9zaGlmdC1yaWdodCBjb2RlIG9uIHJlZ1QxLCBi ZWNhdXNlIHdlIGFscmVhZHkgaGF2ZQorICAgICAgICBpdCBpbiBlbWl0X29wX2dldF9ieV92YWwo KS4KKworICAgICAgICAqIGppdC9KSVRQcm9wZXJ0eUFjY2Vzcy5jcHA6CisgICAgICAgIChKU0M6 OkpJVDo6c3RyaW5nR2V0QnlWYWxTdHViR2VuZXJhdG9yKToKKwogMjAxMC0wNS0xMiAgT2xpdmVy IEh1bnQgIDxvbGl2ZXJAYXBwbGUuY29tPgogCiAgICAgICAgIFJldmlld2VkIGJ5IEdhdmluIEJh cnJhY2xvdWdoLgpJbmRleDogSmF2YVNjcmlwdENvcmUvaml0L0pJVFByb3BlcnR5QWNjZXNzLmNw cAo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09Ci0tLSBKYXZhU2NyaXB0Q29yZS9qaXQvSklUUHJvcGVydHlBY2Nlc3MuY3Bw CShyZXZpc2lvbiA1OTI4MykKKysrIEphdmFTY3JpcHRDb3JlL2ppdC9KSVRQcm9wZXJ0eUFjY2Vz cy5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTU4LDExICs1OCw2IEBAIFBhc3NSZWZQdHI8TmF0aXZl RXhlY3V0YWJsZT4gSklUOjpzdHJpbmcKICAgICBKdW1wTGlzdCBmYWlsdXJlczsKICAgICBmYWls dXJlcy5hcHBlbmQoaml0LmJyYW5jaFB0cihOb3RFcXVhbCwgQWRkcmVzcyhyZWdUMCksIEltbVB0 cihnbG9iYWxEYXRhLT5qc1N0cmluZ1ZQdHIpKSk7CiAgICAgZmFpbHVyZXMuYXBwZW5kKGppdC5i cmFuY2hUZXN0MzIoTm9uWmVybywgQWRkcmVzcyhyZWdUMCwgT0JKRUNUX09GRlNFVE9GKEpTU3Ry aW5nLCBtX2ZpYmVyQ291bnQpKSkpOwotI2lmIFVTRShKU1ZBTFVFNjQpCi0gICAgaml0Lnplcm9F eHRlbmQzMlRvUHRyKHJlZ1QxLCByZWdUMSk7Ci0jZWxzZQotICAgIGppdC5lbWl0RmFzdEFyaXRo SW1tVG9JbnQocmVnVDEpOwotI2VuZGlmCiAKICAgICAvLyBMb2FkIHN0cmluZyBsZW5ndGggdG8g cmVnVDEsIGFuZCBzdGFydCB0aGUgcHJvY2VzcyBvZiBsb2FkaW5nIHRoZSBkYXRhIHBvaW50ZXIg aW50byByZWdUMAogICAgIGppdC5sb2FkMzIoQWRkcmVzcyhyZWdUMCwgVGh1bmtIZWxwZXJzOjpq c1N0cmluZ0xlbmd0aE9mZnNldCgpKSwgcmVnVDIpOwo=