diff options
| author | Allan Sandfeld Jensen <allan.jensen@digia.com> | 2014-10-09 17:40:37 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@digia.com> | 2014-10-13 16:29:11 +0200 |
| commit | 0c58a486f551e7e7b63d438e3d32f21f876327d1 (patch) | |
| tree | ea1f785e167ecffe171bd88a380f64205428c4ba | |
| parent | 13ebee35e169a8b1210851ec494951815c70620c (diff) | |
| download | qtwebkit-0c58a486f551e7e7b63d438e3d32f21f876327d1.tar.gz | |
Fix CLoop on big-endian machines
Callee and ScopeChain are JSObject pointers and saved in the 64bit
structure for JS registers. On a 32bit big-endian machine the actual
pointer is offset by the PayloadOffset of 4 bytes, but on little-endian
and 64bit architectures there is no offset.
This patch fixes four places the payloadOffset was not correctly added
on 32bit big-endian, and six places it was added on 64big big-endian
when it shouldn't.
Task-number: QTBUG-41896
Change-Id: I46b474bee9822b8040d1b7b2e8f31ce42e0adefe
Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
| -rw-r--r-- | Source/JavaScriptCore/llint/LowLevelInterpreter.asm | 25 | ||||
| -rw-r--r-- | Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm | 2 |
2 files changed, 16 insertions, 11 deletions
diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm index 2b5a23c24..c4d86ee3f 100644 --- a/Source/JavaScriptCore/llint/LowLevelInterpreter.asm +++ b/Source/JavaScriptCore/llint/LowLevelInterpreter.asm @@ -87,6 +87,12 @@ else const PayloadOffset = 0 end +if JSVALUE64 + const JSCellPayloadOffset = 0 +else + const JSCellPayloadOffset = PayloadOffset +end + # Constant for reasoning about butterflies. const IsArray = 1 const IndexingShapeMask = 30 @@ -161,7 +167,6 @@ else const VectorSizeOffset = 8 end - # Some common utilities. macro crash() if C_LOOP @@ -267,13 +272,13 @@ macro assertNotConstant(index) end macro functionForCallCodeBlockGetter(targetRegister) - loadp Callee[cfr], targetRegister + loadp Callee + JSCellPayloadOffset[cfr], targetRegister loadp JSFunction::m_executable[targetRegister], targetRegister loadp FunctionExecutable::m_codeBlockForCall[targetRegister], targetRegister end macro functionForConstructCodeBlockGetter(targetRegister) - loadp Callee[cfr], targetRegister + loadp Callee + JSCellPayloadOffset[cfr], targetRegister loadp JSFunction::m_executable[targetRegister], targetRegister loadp FunctionExecutable::m_codeBlockForConstruct[targetRegister], targetRegister end @@ -671,7 +676,7 @@ _llint_op_resolve_global_var: macro resolveScopedVarBody(resolveOperations) # First ResolveOperation is to skip scope chain nodes getScope(macro(dest) - loadp ScopeChain + PayloadOffset[cfr], dest + loadp ScopeChain + JSCellPayloadOffset[cfr], dest end, ResolveOperation::m_scopesToSkip[resolveOperations], t1, t2) loadp JSVariableObject::m_registers[t1], t1 # t1 now contains the activation registers @@ -696,7 +701,7 @@ _llint_op_resolve_scoped_var_on_top_scope: loadisFromInstruction(1, t3) # We know we want the top scope chain entry - loadp ScopeChain + PayloadOffset[cfr], t1 + loadp ScopeChain + JSCellPayloadOffset[cfr], t1 loadp JSVariableObject::m_registers[t1], t1 # t1 now contains the activation registers # Second ResolveOperation tells us what offset to use @@ -718,7 +723,7 @@ _llint_op_resolve_scoped_var_with_top_scope_check: loadp JSScope::m_next[t1], dest jmp .done .scopeChainNotCreated: - loadp ScopeChain + PayloadOffset[cfr], dest + loadp ScopeChain + JSCellPayloadOffset[cfr], dest .done: end, # Second ResolveOperation tells us how many more nodes to skip @@ -773,7 +778,7 @@ _llint_op_resolve_base_to_scope: getResolveOperation(4, t0) # First ResolveOperation is to skip scope chain nodes getScope(macro(dest) - loadp ScopeChain + PayloadOffset[cfr], dest + loadp ScopeChain + JSCellPayloadOffset[cfr], dest end, ResolveOperation::m_scopesToSkip[t0], t1, t2) loadisFromInstruction(1, t3) @@ -798,7 +803,7 @@ _llint_op_resolve_base_to_scope_with_top_scope_check: loadp JSScope::m_next[t1], dest jmp .done .scopeChainNotCreated: - loadp ScopeChain + PayloadOffset[cfr], dest + loadp ScopeChain + JSCellPayloadOffset[cfr], dest .done: end, # Second ResolveOperation tells us how many more nodes to skip @@ -823,7 +828,7 @@ macro interpretResolveWithBase(opcodeLength, slowPath) getResolveOperation(4, t0) btpz t0, .slowPath - loadp ScopeChain[cfr], t3 + loadp ScopeChain + JSCellPayloadOffset[cfr], t3 # Get the base loadis ResolveOperation::m_operation[t0], t2 @@ -845,7 +850,7 @@ macro interpretResolveWithBase(opcodeLength, slowPath) loadp JSScope::m_next[t1], dest jmp .done .scopeChainNotCreated: - loadp ScopeChain + PayloadOffset[cfr], dest + loadp ScopeChain + JSCellPayloadOffset[cfr], dest .done: end, sizeof ResolveOperation + ResolveOperation::m_scopesToSkip[t0], t1, t2) diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm index 89e40c7d6..87aa09eab 100644 --- a/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm +++ b/Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm @@ -1692,7 +1692,7 @@ _llint_op_next_pname: loadi 20[PC], t2 loadi PayloadOffset[cfr, t2, 8], t2 loadp JSPropertyNameIterator::m_jsStrings[t2], t3 - loadi [t3, t0, 8], t3 + loadi PayloadOffset[t3, t0, 8], t3 addi 1, t0 storei t0, PayloadOffset[cfr, t1, 8] loadi 4[PC], t1 |