Title: [263546] trunk/Source/_javascript_Core
- Revision
- 263546
- Author
- [email protected]
- Date
- 2020-06-25 16:50:21 -0700 (Thu, 25 Jun 2020)
Log Message
REGRESSION(r263035): stress/get-prototype-of.js broken on s390x
https://bugs.webkit.org/show_bug.cgi?id=213307
Reviewed by Ross Kirsling.
Structure::m_outOfLineTypeFlags is uint16_t. If we access this field as 32bit field, we have different value in big endian architectures.
Since we do not have half-size-load branch instructions, we should load this uint16_t value via `loadh` (which zero-extends the loaded value)
and perform branch onto that value.
* jit/AssemblyHelpers.cpp:
(JSC::AssemblyHelpers::emitLoadPrototype):
* llint/LowLevelInterpreter64.asm:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (263545 => 263546)
--- trunk/Source/_javascript_Core/ChangeLog 2020-06-25 23:43:38 UTC (rev 263545)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-06-25 23:50:21 UTC (rev 263546)
@@ -1,3 +1,18 @@
+2020-06-25 Yusuke Suzuki <[email protected]>
+
+ REGRESSION(r263035): stress/get-prototype-of.js broken on s390x
+ https://bugs.webkit.org/show_bug.cgi?id=213307
+
+ Reviewed by Ross Kirsling.
+
+ Structure::m_outOfLineTypeFlags is uint16_t. If we access this field as 32bit field, we have different value in big endian architectures.
+ Since we do not have half-size-load branch instructions, we should load this uint16_t value via `loadh` (which zero-extends the loaded value)
+ and perform branch onto that value.
+
+ * jit/AssemblyHelpers.cpp:
+ (JSC::AssemblyHelpers::emitLoadPrototype):
+ * llint/LowLevelInterpreter64.asm:
+
2020-06-25 Mark Lam <[email protected]>
JSCell constructor needs to ensure that the passed in structure is still alive.
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp (263545 => 263546)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2020-06-25 23:43:38 UTC (rev 263545)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2020-06-25 23:50:21 UTC (rev 263546)
@@ -400,9 +400,8 @@
emitLoadStructure(vm, objectGPR, resultRegs.payloadGPR(), scratchGPR);
- auto overridesGetPrototype = branchTest32(MacroAssembler::NonZero,
- MacroAssembler::Address(resultRegs.payloadGPR(), Structure::outOfLineTypeFlagsOffset()),
- TrustedImm32(OverridesGetPrototypeOutOfLine));
+ load16(MacroAssembler::Address(resultRegs.payloadGPR(), Structure::outOfLineTypeFlagsOffset()), scratchGPR);
+ auto overridesGetPrototype = branchTest32(MacroAssembler::NonZero, scratchGPR, TrustedImm32(OverridesGetPrototypeOutOfLine));
slowPath.append(overridesGetPrototype);
loadValue(MacroAssembler::Address(resultRegs.payloadGPR(), Structure::prototypeOffset()), resultRegs);
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (263545 => 263546)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2020-06-25 23:43:38 UTC (rev 263545)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2020-06-25 23:50:21 UTC (rev 263546)
@@ -1509,7 +1509,8 @@
bbb JSCell::m_type[t0], ObjectType, .opGetPrototypeOfSlow
loadStructureWithScratch(t0, t2, t1, t3)
- btinz Structure::m_outOfLineTypeFlags[t2], OverridesGetPrototypeOutOfLine, .opGetPrototypeOfSlow
+ loadh Structure::m_outOfLineTypeFlags[t2], t3
+ btinz t3, OverridesGetPrototypeOutOfLine, .opGetPrototypeOfSlow
loadq Structure::m_prototype[t2], t2
btqz t2, .opGetPrototypeOfPolyProto
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
