Bug 39034 - String Indexing Failure on JSVALUE32 targets
Summary: String Indexing Failure on JSVALUE32 targets
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Other Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-05-12 17:00 PDT by Chao-ying Fu
Modified: 2010-05-14 05:40 PDT (History)
1 user (show)

See Also:


Attachments
Remove zero-extend/shift-right on regT1 (1.48 KB, patch)
2010-05-12 18:26 PDT, Chao-ying Fu
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chao-ying Fu 2010-05-12 17:00:44 PDT
From today's testing, I got two regressions on MIPS.
        ecma_3/Date/15.9.5.4.js
        ecma_3/Function/regress-58274.js

2 regressions found.
0 tests fixed.

  The string access is not correct, if I access from the beginning a[0], a[1], a[2], ....
Ex 1:
# ./jsc
> a="01"
01
> a[0]
0
> a[1]
0 <--- THIS IS WRONG!
> a[2]
undefined

Ex 2:
# ./jsc
> a="01"
01
> a[2]
undefined
> a[1]
1 <--- THIS IS CORRECT!
> a[0]
0

  From debugging, I think the code in JIT::stringGetByValStubGenerator() may contain redundant code.
Ex:
...
#if USE(JSVALUE64)
    jit.zeroExtend32ToPtr(regT1, regT1);
#else
    jit.emitFastArithImmToInt(regT1);
#endif
...

  The same code appears in "JIT::emit_op_get_by_val()".  So, we may execute one more time in stringGetByValStubGenerator().

  I need to comment out jit.emitFastArithImmToInt(regT1) for MIPS to fix two new regressions.  Otherwise, regT1 is shifted right by 1 bit (twice) and the index to a string is wrong.

  I will post a patch soon.  Thanks a lot!
Comment 1 Chao-ying Fu 2010-05-12 18:26:56 PDT
Created attachment 55924 [details]
Remove zero-extend/shift-right on regT1

Tested it on MIPS.
0 regressions found.
0 tests fixed.
OK.

For other platforms, people need to test it. Thanks!
Comment 2 Oliver Hunt 2010-05-12 18:39:13 PDT
Comment on attachment 55924 [details]
Remove zero-extend/shift-right on regT1

r=me
Comment 3 WebKit Commit Bot 2010-05-14 05:40:04 PDT
Comment on attachment 55924 [details]
Remove zero-extend/shift-right on regT1

Clearing flags on attachment: 55924

Committed r59469: <http://trac.webkit.org/changeset/59469>
Comment 4 WebKit Commit Bot 2010-05-14 05:40:08 PDT
All reviewed patches have been landed.  Closing bug.