[webkit-changes] [224099] releases/WebKitGTK/webkit-2.18/Source/JavaScriptCore

Fri, 27 Oct 2017 01:58:28 -0700

Title: [224099] releases/WebKitGTK/webkit-2.18/Source/_javascript_Core
Revision
224099
Author
[email protected]
Date
2017-10-27 01:57:29 -0700 (Fri, 27 Oct 2017)

Log Message

Merge r223916 - [mips] fix offsets of branches that have to go over a jump
https://bugs.webkit.org/show_bug.cgi?id=153464

The jump() function creates 8 instructions, but the offsets of branches
meant to go over them only account for 6. In most cases, this is not an
issue as the last two instructions of jump() would be nops, but in the
rarer case where the jump destination is in a different 256 MB segment,
MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
the last 4 instructions would be a 2 instruction load (lui/ori) into
$t9, a "j $t9" and then a nop. The wrong offset will mean that the
previous branches meant to go over the whole jump will branch to the
"j $t9" instruction, which would jump to whatever is currently in $t9
(since lui/ori would not be executed).

Reviewed by Michael Catanzaro.

* assembler/MacroAssemblerMIPS.h:
(JSC::MacroAssemblerMIPS::branchAdd32):
(JSC::MacroAssemblerMIPS::branchMul32):
(JSC::MacroAssemblerMIPS::branchSub32):
Fix the offsets of branches meant to go over code generated by jump().

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog (224098 => 224099)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2017-10-27 08:55:17 UTC (rev 224098)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/ChangeLog	2017-10-27 08:57:29 UTC (rev 224099)
@@ -1,3 +1,27 @@
+2017-10-24  Guillaume Emont  <[email protected]>
+
+        [mips] fix offsets of branches that have to go over a jump
+        https://bugs.webkit.org/show_bug.cgi?id=153464
+
+        The jump() function creates 8 instructions, but the offsets of branches
+        meant to go over them only account for 6. In most cases, this is not an
+        issue as the last two instructions of jump() would be nops, but in the
+        rarer case where the jump destination is in a different 256 MB segment,
+        MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
+        the last 4 instructions would be a 2 instruction load (lui/ori) into
+        $t9, a "j $t9" and then a nop. The wrong offset will mean that the
+        previous branches meant to go over the whole jump will branch to the
+        "j $t9" instruction, which would jump to whatever is currently in $t9
+        (since lui/ori would not be executed).
+
+        Reviewed by Michael Catanzaro.
+
+        * assembler/MacroAssemblerMIPS.h:
+        (JSC::MacroAssemblerMIPS::branchAdd32):
+        (JSC::MacroAssemblerMIPS::branchMul32):
+        (JSC::MacroAssemblerMIPS::branchSub32):
+        Fix the offsets of branches meant to go over code generated by jump().
+
 2017-10-09  Oleksandr Skachkov  <[email protected]>
 
         Safari 10 /11 problem with if (!await get(something)).

Modified: releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h (224098 => 224099)


--- releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h	2017-10-27 08:55:17 UTC (rev 224098)
+++ releases/WebKitGTK/webkit-2.18/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h	2017-10-27 08:57:29 UTC (rev 224099)
@@ -1809,10 +1809,10 @@
             */
             move(dest, dataTempRegister);
             m_assembler.xorInsn(cmpTempRegister, dataTempRegister, src);
-            m_assembler.bltz(cmpTempRegister, 10);
+            m_assembler.bltz(cmpTempRegister, 12);
             m_assembler.addu(dest, dataTempRegister, src);
             m_assembler.xorInsn(cmpTempRegister, dest, dataTempRegister);
-            m_assembler.bgez(cmpTempRegister, 7);
+            m_assembler.bgez(cmpTempRegister, 9);
             m_assembler.nop();
             return jump();
         }
@@ -1862,10 +1862,10 @@
             */
             move(op1, dataTempRegister);
             m_assembler.xorInsn(cmpTempRegister, dataTempRegister, op2);
-            m_assembler.bltz(cmpTempRegister, 10);
+            m_assembler.bltz(cmpTempRegister, 12);
             m_assembler.addu(dest, dataTempRegister, op2);
             m_assembler.xorInsn(cmpTempRegister, dest, dataTempRegister);
-            m_assembler.bgez(cmpTempRegister, 7);
+            m_assembler.bgez(cmpTempRegister, 9);
             m_assembler.nop();
             return jump();
         }
@@ -1936,21 +1936,21 @@
             if (imm.m_value >= -32768 && imm.m_value  <= 32767 && !m_fixedWidth) {
                 load32(dest.m_ptr, dataTempRegister);
                 m_assembler.xori(cmpTempRegister, dataTempRegister, imm.m_value);
-                m_assembler.bltz(cmpTempRegister, 10);
+                m_assembler.bltz(cmpTempRegister, 14);
                 m_assembler.addiu(dataTempRegister, dataTempRegister, imm.m_value);
                 store32(dataTempRegister, dest.m_ptr);
                 m_assembler.xori(cmpTempRegister, dataTempRegister, imm.m_value);
-                m_assembler.bgez(cmpTempRegister, 7);
+                m_assembler.bgez(cmpTempRegister, 9);
                 m_assembler.nop();
             } else {
                 load32(dest.m_ptr, dataTempRegister);
                 move(imm, immTempRegister);
                 m_assembler.xorInsn(cmpTempRegister, dataTempRegister, immTempRegister);
-                m_assembler.bltz(cmpTempRegister, 10);
+                m_assembler.bltz(cmpTempRegister, 14);
                 m_assembler.addiu(dataTempRegister, dataTempRegister, immTempRegister);
                 store32(dataTempRegister, dest.m_ptr);
                 m_assembler.xori(cmpTempRegister, dataTempRegister, immTempRegister);
-                m_assembler.bgez(cmpTempRegister, 7);
+                m_assembler.bgez(cmpTempRegister, 9);
                 m_assembler.nop();
             }
             return jump();
@@ -2000,7 +2000,7 @@
             m_assembler.mfhi(dataTempRegister);
             m_assembler.mflo(dest);
             m_assembler.sra(addrTempRegister, dest, 31);
-            m_assembler.beq(dataTempRegister, addrTempRegister, 7);
+            m_assembler.beq(dataTempRegister, addrTempRegister, 9);
             m_assembler.nop();
             return jump();
         }
@@ -2045,7 +2045,7 @@
             m_assembler.mfhi(dataTempRegister);
             m_assembler.mflo(dest);
             m_assembler.sra(addrTempRegister, dest, 31);
-            m_assembler.beq(dataTempRegister, addrTempRegister, 7);
+            m_assembler.beq(dataTempRegister, addrTempRegister, 9);
             m_assembler.nop();
             return jump();
         }
@@ -2095,10 +2095,10 @@
             */
             move(dest, dataTempRegister);
             m_assembler.xorInsn(cmpTempRegister, dataTempRegister, src);
-            m_assembler.bgez(cmpTempRegister, 10);
+            m_assembler.bgez(cmpTempRegister, 12);
             m_assembler.subu(dest, dataTempRegister, src);
             m_assembler.xorInsn(cmpTempRegister, dest, dataTempRegister);
-            m_assembler.bgez(cmpTempRegister, 7);
+            m_assembler.bgez(cmpTempRegister, 9);
             m_assembler.nop();
             return jump();
         }
@@ -2154,10 +2154,10 @@
             */
             move(op1, dataTempRegister);
             m_assembler.xorInsn(cmpTempRegister, dataTempRegister, op2);
-            m_assembler.bgez(cmpTempRegister, 10);
+            m_assembler.bgez(cmpTempRegister, 12);
             m_assembler.subu(dest, dataTempRegister, op2);
             m_assembler.xorInsn(cmpTempRegister, dest, dataTempRegister);
-            m_assembler.bgez(cmpTempRegister, 7);
+            m_assembler.bgez(cmpTempRegister, 9);
             m_assembler.nop();
             return jump();
         }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to