Bug 47356

Summary:

ARM JIT generates undefined operations due to partially uninitialized ShiftTypeAndAmount

Product:

WebKit

Reporter:

David Goodwin <david_goodwin>

Component:

JavaScriptCore

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, dave+webkit, ggaren, oliver, thomas

Priority:

Version:

528+ (Nightly build)

Hardware:

Other

OS:

OS X 10.5

Attachments:

Description	Flags
Fix partial uninitialization	none

Description David Goodwin 2010-10-07 09:50:24 PDT

The generated instructions include operations like:

	ebb08f0c	undefined

which should be:

	ebb00f0c	cmp.w	r0, ip

Note the 1-bit difference. This comes from high-order shift-amount bit which must be 0 in cmp and many other operations (apparently the undefined behavior when this is 1 is to just ignore the 1 and do the right thing, I assume that is why we aren't seeing any actual failure because of this). This stems from ShiftTypeAndAmount which stores shift type and amount as:

    union {
        struct {
            unsigned lo4 : 4;
            unsigned hi4 : 4;
        };
        struct {
            unsigned type   : 2;
            unsigned amount : 5;
        };
    } m_u;

Objects of this type are initialized with type = amount = 0, but note that this does not clear all hi4 bits. The attached patch increases amount to 6 bits to fix (we already ensure that the amount value is > 32).

Comment 1 David Goodwin 2010-10-07 10:01:17 PDT

Created attachment 70105 [details]
Fix partial uninitialization

Comment 2 WebKit Commit Bot 2010-10-07 14:20:09 PDT

Comment on attachment 70105 [details]
Fix partial uninitialization

Rejecting patch 70105 from commit-queue.

Failed to run "['./WebKitTools/Scripts/webkit-patch', '--status-host=queues.webkit.org', 'build-and-test', '--no-clean', '--no-update', '--test', '--quiet', '--non-interactive']" exit_code: 2
Last 500 characters of output:
l tests successful.
Files=14, Tests=304,  1 wallclock secs ( 0.73 cusr +  0.17 csys =  0.90 CPU)
Running build-dumprendertree
Compiling Java tests
make: Nothing to be done for `default'.
Running tests from /Projects/CommitQueue/LayoutTests
Testing 21483 test cases.
java/lc3/JSObject/ToObject-001.html -> failed

Exiting early after 1 failures. 17534 tests run.
282.36s total testing time

17533 test cases (99%) succeeded
1 test case (<1%) had incorrect layout
28 test cases (<1%) had stderr output

Full output: http://queues.webkit.org/results/4162142

Comment 3 WebKit Commit Bot 2010-10-07 20:16:56 PDT

Comment on attachment 70105 [details]
Fix partial uninitialization

Clearing flags on attachment: 70105

Committed r69372: <http://trac.webkit.org/changeset/69372>

Comment 4 WebKit Commit Bot 2010-10-07 20:17:01 PDT

All reviewed patches have been landed.  Closing bug.

Comment 5 David Tapuska 2011-01-24 07:57:33 PST

*** Bug 45669 has been marked as a duplicate of this bug. ***