Bug 164432

Summary:

[JSC] The implementation of 8 bit operation in MacroAssembler should care about uint8_t / int8_t

Product:

WebKit

Reporter:

Yusuke Suzuki <ysuzuki>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

fpizlo, ggaren, jfbastien, joepeck, keith_miller, mark.lam, msaboff, ossy, saam

Priority:

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

164004, 164487

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	msaboff: review+
Patch for landing	none

Yusuke Suzuki

Reported 2016-11-04 14:11:29 PDT

In r203331, we fixed some bugs. But the behavior is not changed. We just drop the meaningless assertions. However, MacroAssembler still has a bug. In ARM, ARM64 assemblers, 8bit operations are implementation like this. Jump branch8(RelationCondition cord, Address left, TrustedImm32 right) { TrustedImm32 right8(static_cast<int8_t>(right.m_value)); load8(left, getCachedMemoryTempRegisterIDAndInvalidate()); return branch32(cone, memoryTempRegister, right8); } The problem is, load8 does not perform sign extension. So if you pass signed 8bit value in |right|, the above code has a bad time. 32bit extended values becomes different. One is sign extended, another is not.

Attachments
Patch (44.33 KB, patch) 2016-11-04 22:22 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (46.67 KB, patch) 2016-11-06 00:58 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (46.92 KB, patch) 2016-11-07 11:24 PST, Yusuke Suzuki	msaboff: review+	Details Formatted Diff Diff
Patch for landing (46.82 KB, patch) 2016-11-07 14:54 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2016-11-04 14:11:40 PDT

https://trac.webkit.org/changeset/203331

Yusuke Suzuki

Comment 2 2016-11-04 14:25:50 PDT

Current ARM64 branch8 always use load8 to load 8bit value to a register. It means that we cannot perform signed operations like GreaterThan, LessThan etc. addr holds -1 as int8_t. branch8(LessThan, addr, 0) => load8(addr) => 32bit 255 is sotred in the register 255 < 0 (IN 32bit context). => false. But it should return true. If we would like to make it work, we should select load8 / load8SignedExtendTo32 based on the condition.

Yusuke Suzuki

Comment 3 2016-11-04 14:27:26 PDT

This issue actually causes https://bugs.webkit.org/show_bug.cgi?id=164004's crash. Since now JSType(8bit) may have the highest bit.

Yusuke Suzuki

Comment 4 2016-11-04 14:30:18 PDT

(In reply to comment #2) > Current ARM64 branch8 always use load8 to load 8bit value to a register. > It means that we cannot perform signed operations like GreaterThan, LessThan > etc. > > addr holds -1 as int8_t. > branch8(LessThan, addr, 0) => > > load8(addr) => 32bit 255 is sotred in the register > 255 < 0 (IN 32bit context). > > => false. But it should return true. > > If we would like to make it work, we should select load8 / > load8SignedExtendTo32 based on the condition. And also, we should select the way to mask the 32bit value.

Filip Pizlo

Comment 5 2016-11-04 14:33:30 PDT

(In reply to comment #4) > (In reply to comment #2) > > Current ARM64 branch8 always use load8 to load 8bit value to a register. > > It means that we cannot perform signed operations like GreaterThan, LessThan > > etc. > > > > addr holds -1 as int8_t. > > branch8(LessThan, addr, 0) => > > > > load8(addr) => 32bit 255 is sotred in the register > > 255 < 0 (IN 32bit context). > > > > => false. But it should return true. > > > > If we would like to make it work, we should select load8 / > > load8SignedExtendTo32 based on the condition. > > And also, we should select the way to mask the 32bit value. Yes, exactly.

Yusuke Suzuki

Comment 6 2016-11-04 22:22:01 PDT

Created attachment 293984 [details] Patch

Yusuke Suzuki

Comment 7 2016-11-04 22:23:30 PDT

Comment on attachment 293984 [details] Patch WIP

Yusuke Suzuki

Comment 8 2016-11-05 01:57:20 PDT

OK, I've ensured that this fixes https://bugs.webkit.org/show_bug.cgi?id=164004 problem.

Yusuke Suzuki

Comment 9 2016-11-06 00:58:40 PDT

Created attachment 294018 [details] Patch

Yusuke Suzuki

Comment 10 2016-11-07 11:24:59 PST

Created attachment 294072 [details] Patch

Yusuke Suzuki

Comment 11 2016-11-07 11:30:16 PST

And we would like to introduce some testing mechanism like this in the separate patch. https://bugs.webkit.org/show_bug.cgi?id=164487

Michael Saboff

Comment 12 2016-11-07 14:25:47 PST

Comment on attachment 294072 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=294072&action=review r=me > Source/JavaScriptCore/ChangeLog:8 > + Except for X86, our supported MacroAssemblers do not have the native 8bit instructions. Remove "the". > Source/JavaScriptCore/ChangeLog:20 > + The problem is that we exclusively use zero-extended load instruction (load8). Even if > + RelationCondition is signedness aware one, we do not perform signed extension. How about changing "Even if RelationCondition is signedness aware one" to "Even for signed RelationConditions."? Change "signed extension" to "sign extension". > Source/JavaScriptCore/ChangeLog:21 > + It makes signedness aware operations with negative numbers incorrect! Change "signedness aware operations" to "signed operations". > Source/JavaScriptCore/ChangeLog:23 > + into 32bit register. On the other hand, |right| will be signed extended. If you pass 0 Use "sign extended". > Source/JavaScriptCore/ChangeLog:33 > + This problem does not matter since it does not perform extension. You probably can remove this sentence if you insert "signed" between "native" and "8bit" in the prior sentence.

Yusuke Suzuki

Comment 13 2016-11-07 14:46:02 PST

Comment on attachment 294072 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=294072&action=review Thanks! I'll land it once EWS is back. >> Source/JavaScriptCore/ChangeLog:8 >> + Except for X86, our supported MacroAssemblers do not have the native 8bit instructions. > > Remove "the". Dropped. >> Source/JavaScriptCore/ChangeLog:20 >> + RelationCondition is signedness aware one, we do not perform signed extension. > > How about changing "Even if RelationCondition is signedness aware one" to "Even for signed RelationConditions."? Change "signed extension" to "sign extension". Sounds nice. Fixed. >> Source/JavaScriptCore/ChangeLog:21 >> + It makes signedness aware operations with negative numbers incorrect! > > Change "signedness aware operations" to "signed operations". Fixed. >> Source/JavaScriptCore/ChangeLog:23 >> + into 32bit register. On the other hand, |right| will be signed extended. If you pass 0 > > Use "sign extended". Fixed. >> Source/JavaScriptCore/ChangeLog:33 >> + This problem does not matter since it does not perform extension. > > You probably can remove this sentence if you insert "signed" between "native" and "8bit" in the prior sentence. OK, insert "signed" between "native" and "8bit". And drop this sentence.

Yusuke Suzuki

Comment 14 2016-11-07 14:54:57 PST

Created attachment 294089 [details] Patch for landing

Yusuke Suzuki

Comment 15 2016-11-09 11:13:53 PST

Committed r208450: <http://trac.webkit.org/changeset/208450>

Note You need to log in before you can comment on or make changes to this bug.