Changeset 182058 in webkit

Timestamp:

Mar 27, 2015 7:28:34 AM (9 years ago)

Author:

msaboff@apple.com

Message:

Objects with numeric properties intermittently get a phantom 'length' property
​https://bugs.webkit.org/show_bug.cgi?id=142792

Reviewed by Csaba Osztrogonác.

Source/JavaScriptCore:

Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
test and branch instructions. This function is used for linking tbz/tbnz branches between
two seperately JIT'ed sections of code. Sometime we'd create a bogus tbz instruction in
the failure case checks in the GetById array length stub created for "obj.length" access.
If the failure case code address was at a negative offset from the stub, we'd look for bit 1
being set when we should have been looking for bit 0.

• assembler/ARM64Assembler.h:

(JSC::ARM64Assembler::disassembleTestAndBranchImmediate):

LayoutTests:

New regression test.

• js/regress-142792-expected.txt: Added.
• js/regress-142792.html: Added.
• js/script-tests/regress-142792.js: Added.

(isArrayLike):
(filter):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/js/regress-142792-expected.txt (added)
• LayoutTests/js/regress-142792.html (added)
• LayoutTests/js/script-tests/regress-142792.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/assembler/ARM64Assembler.h (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2015-03-27  Michael Saboff  <msaboff@apple.com>
+
+        Objects with numeric properties intermittently get a phantom 'length' property
+        https://bugs.webkit.org/show_bug.cgi?id=142792
+
+        Reviewed by Csaba Osztrogonác.
+
+        New regression test.
+
+        * js/regress-142792-expected.txt: Added.
+        * js/regress-142792.html: Added.
+        * js/script-tests/regress-142792.js: Added.
+        (isArrayLike):
+        (filter):
+
 2015-03-26  Zalan Bujtas  <zalan@apple.com>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-03-27  Michael Saboff  <msaboff@apple.com>
+
+        Objects with numeric properties intermittently get a phantom 'length' property
+        https://bugs.webkit.org/show_bug.cgi?id=142792
+
+        Reviewed by Csaba Osztrogonác.
+
+        Fixed a > (greater than) that should be a >> (right shift) in the code that disassembles
+        test and branch instructions.  This function is used for linking tbz/tbnz branches between
+        two seperately JIT'ed sections of code.  Sometime we'd create a bogus tbz instruction in
+        the failure case checks in the GetById array length stub created for "obj.length" access.
+        If the failure case code address was at a negative offset from the stub, we'd look for bit 1
+        being set when we should have been looking for bit 0.
+
+        * assembler/ARM64Assembler.h:
+        (JSC::ARM64Assembler::disassembleTestAndBranchImmediate):
+
 2015-03-27  Yusuke Suzuki  <utatane.tea@gmail.com>
 

trunk/Source/JavaScriptCore/assembler/ARM64Assembler.h

@@ -3238 +3238 @@
         op = (insn >> 24) & 0x1;
         imm14 = (insn << 13) >> 18;
-        bitNumber = static_cast<unsigned>((((insn >> 26) & 0x20)) | ((insn > 19) & 0x1f));
+        bitNumber = static_cast<unsigned>((((insn >> 26) & 0x20)) | ((insn >> 19) & 0x1f));
         rt = static_cast<RegisterID>(insn & 0x1f);
         return (insn & 0x7e000000) == 0x36000000;