Bug 131449

Summary: Ensure that LLINT accessing of the ProtoCallFrame is big endian friendly
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mhahnenberg, mmirman, msaboff, oliver, tpopela
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 128743    
Attachments:
Description Flags
the patch
none
revised patch. mhahnenberg: review+

Mark Lam
Reported 2014-04-09 12:34:37 PDT
Patch coming.
Attachments
the patch (3.09 KB, patch)
2014-04-09 12:44 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
revised patch. (3.53 KB, patch)
2014-04-09 13:17 PDT, Mark Lam 		mhahnenberg: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2014-04-09 12:44:05 PDT
Created attachment 228975 [details] the patch
Mark Hahnenberg
Comment 2 2014-04-09 12:46:48 PDT
Comment on attachment 228975 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=228975&action=review > Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:194 > + loadp ProtoCallFrame::paddedArgCount[protoCallFrame], temp3 Doesn't this change the behavior? We will end up loading an extra 32 bits. Was the old behavior a bug?
Mark Lam
Comment 3 2014-04-09 12:50:27 PDT
(In reply to comment #2) > (From update of attachment 228975 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=228975&action=review > > > Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:194 > > + loadp ProtoCallFrame::paddedArgCount[protoCallFrame], temp3 > > Doesn't this change the behavior? We will end up loading an extra 32 bits. Was the old behavior a bug? Yes, the old behavior is a bug. Alternatively, we can change ProtoCallFrame::paddedArgCount to an unsigned instead if a size_t.
Mark Hahnenberg
Comment 4 2014-04-09 12:53:06 PDT
Comment on attachment 228975 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=228975&action=review >>> Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:194 >>> + loadp ProtoCallFrame::paddedArgCount[protoCallFrame], temp3 >> >> Doesn't this change the behavior? We will end up loading an extra 32 bits. Was the old behavior a bug? > > Yes, the old behavior is a bug. Alternatively, we can change ProtoCallFrame::paddedArgCount to an unsigned instead if a size_t. Hmm, I'm unfamiliar with ProtoCallFrame. Does the size of the struct need to be consistent between 32-bit and 64-bit? If so then we should definitely change the type to uint32_t.
Mark Hahnenberg
Comment 5 2014-04-09 13:03:03 PDT
Comment on attachment 228975 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=228975&action=review >>>> Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:194 >>>> + loadp ProtoCallFrame::paddedArgCount[protoCallFrame], temp3 >>> >>> Doesn't this change the behavior? We will end up loading an extra 32 bits. Was the old behavior a bug? >> >> Yes, the old behavior is a bug. Alternatively, we can change ProtoCallFrame::paddedArgCount to an unsigned instead if a size_t. > > Hmm, I'm unfamiliar with ProtoCallFrame. Does the size of the struct need to be consistent between 32-bit and 64-bit? If so then we should definitely change the type to uint32_t. Okay, looks like the ProtoCallFrame is the dummy call frame we use when we're about to start executing JS. I vote that we make ProtoCallFrame's arg count match the type of CallFrame, which looks like an int32_t. (Register::payload returns an int32_t, which then gets casted to a size_t inside CallFrame::argumentCountIncludingThis). So maybe uint32_t makes the most sense here.
Mark Lam
Comment 6 2014-04-09 13:17:43 PDT
Created attachment 228978 [details] revised patch.
Mark Hahnenberg
Comment 7 2014-04-09 13:19:54 PDT
Comment on attachment 228978 [details] revised patch. r=me!
Mark Lam
Comment 8 2014-04-09 13:24:39 PDT
Thanks. Landed in r167031: <http://trac.webkit.org/r167031>.
Geoffrey Garen
Comment 9 2014-04-09 14:02:28 PDT
Does this fix a bug? If so, it should come with a description of the bug and a regression test.
Mark Lam
Comment 10 2014-04-09 14:06:55 PDT
(In reply to comment #9) > Does this fix a bug? If so, it should come with a description of the bug and a regression test. The bug only manifests on a big endian system and was caught as soon as Tomas ran the JSC stress tests. I’ll try to create a more isolated test case and post that later.
Geoffrey Garen
Comment 11 2014-04-09 14:23:49 PDT
> The bug only manifests on a big endian system and was caught as soon as Tomas ran the JSC stress tests. I’ll try to create a more isolated test case and post that later. If this patch fixes a bug that's already covered by existing regression test(s), then you don't need to write a new regression test, and instead you should mention that the existing regression test(s) in your ChangeLog.
Mark Lam
Comment 12 2014-04-09 14:24:40 PDT
(In reply to comment #11) > > The bug only manifests on a big endian system and was caught as soon as Tomas ran the JSC stress tests. I’ll try to create a more isolated test case and post that later. > > If this patch fixes a bug that's already covered by existing regression test(s), then you don't need to write a new regression test, and instead you should mention that the existing regression test(s) in your ChangeLog. I will update the ChangeLog comment.
Mark Lam
Comment 13 2014-04-09 14:53:45 PDT
ChangeLog comment updated in r167037: <http://trac.webkit.org/changeset/167037>
Note You need to log in before you can comment on or make changes to this bug.