Bug 54687 - Invalid label can be added into backtrack when building with armcc
Summary: Invalid label can be added into backtrack when building with armcc
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Other Other
: P1 Blocker
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-02-17 14:00 PST by Yong Li
Modified: 2011-02-22 08:28 PST (History)
6 users (show)

See Also:

Attachments
the fix (1.55 KB, patch)
2011-02-17 14:04 PST, Yong Li 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yong Li 2011-02-17 14:00:38 PST 
Yarr::GenerationState::BacktrackDestination::hasDataLabel() doesn't work when it is built with armcc, because JmpDst::isSet compares m_offset against -1, and m_offset is declared with "int m_offset : 31". According to standards, it depends on the compiler implementation that "int" bit field is signed or unsigned. After changing it to "signed int m_offset : 31", it works well.
Comment 1 Yong Li 2011-02-17 14:04:10 PST 
Created attachment 82858 [details]
the fix
Comment 2 Yong Li 2011-02-17 14:17:24 PST 
There are other cases where we use "int" to declare signed bit field. We should also change them to "signed int". That should be low priority and I prefer to do that in another bug
Comment 3 Alexey Proskuryakov 2011-02-17 20:50:02 PST 
Is this covered by existing regression tests?
Comment 4 Yong Li 2011-02-18 06:05:11 PST 
(In reply to comment #3)
> Is this covered by existing regression tests?

I'll give a try. It is hard for me to write a test case for this because I know very little about how YarrJIT works. The change is harmless. I also plan to make such change to other places including those in WebCore even they haven't caused any known problem. Probably we should have this rule in coding guidelines: "Always explicitly use "signed"/"unsigned" to declare integral bit fields"
Comment 5 Eric Seidel (no email) 2011-02-18 11:56:04 PST 
Comment on attachment 82858 [details]
the fix

We've had related trouble with bitfields using MSVC as well.  There the problem was that enum is a "signed int" and when you make it a bitfield it uses one of the bits as a sign when you don't expect it to. :)

This change seems fine.  Seems you might want a comment here to explain why you need the "signed" part.
Comment 6 Yong Li 2011-02-19 07:43:00 PST 
(In reply to comment #5)
> (From update of attachment 82858 [details])
> We've had related trouble with bitfields using MSVC as well.  There the problem was that enum is a "signed int" and when you make it a bitfield it uses one of the bits as a sign when you don't expect it to. :)
> 
> This change seems fine.  Seems you might want a comment here to explain why you need the "signed" part.

Thanks. I plan to add "sign" to all similar places to make the code independent from the implementation differences of compilers (seems Qt always uses "signed" to declare signed bitfields). After that is done, the change in ARMAssember.h will not be special.
Comment 7 Yong Li 2011-02-19 07:58:26 PST 
Bug 54807 created for the rest places we use "int"/"short" to declare bitfields
Comment 8 WebKit Commit Bot 2011-02-19 08:06:40 PST 
Comment on attachment 82858 [details]
the fix

Clearing flags on attachment: 82858

Committed r79124: <http://trac.webkit.org/changeset/79124>
Comment 9 WebKit Commit Bot 2011-02-19 08:06:45 PST 
All reviewed patches have been landed.  Closing bug.
Comment 10 Alexey Proskuryakov 2011-02-19 20:53:01 PST 
This patch makes no sense to me. "int" is always signed in C++.

Eric, I don't understand why this has been given green light. There is no explanation of what specific problem this patch fixes, and according to comment 4, even regression tests haven't been run!
Comment 11 Eric Seidel (no email) 2011-02-19 21:52:53 PST 
(In reply to comment #10)
> This patch makes no sense to me. "int" is always signed in C++.
> 
> Eric, I don't understand why this has been given green light. There is no explanation of what specific problem this patch fixes, and according to comment 4, even regression tests haven't been run!

The patch seemed reasonable to me.  Yes, ideally there should have been a link to the armcc bug (as I requested in the other bug he filed on this subject).

He states in comment 0 that according to his (I assume yong is a he?) reading of the c++ spec ints in bitfields are unspecified as to their sign.  I've not confirmed this.  But I could believe that armcc might have such a bug.

The cq obviously ran the regression tests. :)

Feel free to roll out the change.
Comment 12 Alexey Proskuryakov 2011-02-19 22:34:00 PST 
> The cq obviously ran the regression tests. :)

I meant, the tests haven't been run on the affected platform.

Since this isn't breaking anything, there is no rush to roll out, and I'll give some time for everyone to comment.
Comment 13 Alexey Proskuryakov 2011-02-19 23:13:37 PST 
Daniel Bates explained in bug 54807 that I was wrong - bitfields are an exception where "signed int" is different from "int".

I think that this should have used "signed", not "signed int" though, just like we never write "unsigned int" in WebKit code. And it doesn't look like we had a good explanation of why there is no regression test.
Comment 14 Yong Li 2011-02-22 08:28:20 PST 
(In reply to comment #13)
> Daniel Bates explained in bug 54807 that I was wrong - bitfields are an exception where "signed int" is different from "int".
> 
> I think that this should have used "signed", not "signed int" though, just like we never write "unsigned int" in WebKit code. And it doesn't look like we had a good explanation of why there is no regression test.

I just tried a few existing JS tests, and I haven't been able to find one that doesn't crash without the fix. (For example, fast/js/const.html, fast/js/array-foreach.html, ...)