Bug 100896 - JSC: 64-bit llint PC offset can be negative: using an unsigned rshift is a bug.
Summary: JSC: 64-bit llint PC offset can be negative: using an unsigned rshift is a bug.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords:
Depends on:
Blocks: 97586
  Show dependency treegraph
 
Reported: 2012-10-31 15:17 PDT by Mark Lam
Modified: 2012-10-31 15:43 PDT (History)
2 users (show)

See Also:

Attachments
Fix. (1.50 KB, patch)
2012-10-31 15:36 PDT, Mark Lam 		fpizlo: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2012-10-31 15:17:04 PDT 
The 64-bit llint keeps the PC as an offset into the bytecode instead of an address.  When calling out to C++ slow paths, the llint converts the PC to an address before the call, and converts it back to an offset after returning from the call.  Given that the PC may be pointing to a glue trampoline outside of the current bytecode, the resultant offset can be negative.

The shift operation there is used to divide the offset by 8 so that it becomes a bytecode Opcode offset instead of a byte offset.  If the original byte offset is negative, we need to do this shift with a regular rshift instead of the unsigned urshift.  The urshift will convert the negative offset into an erroneously large positive offset.  Using an rshift will do the right thing and divide the offset by 8.
Comment 1 Mark Lam 2012-10-31 15:36:00 PDT 
Created attachment 171731 [details]
Fix.
Comment 2 Mark Lam 2012-10-31 15:42:53 PDT 
Landed in r133089: <http://trac.webkit.org/changeset/133089>.