Closed Bug 738124 Opened 12 years ago Closed 12 years ago

IonMonkey: OSI breaks if a pool lands in the wrong place

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mjrosenb, Unassigned)

Details

Attachments

(1 file)

Record the call site rather than the return site in OSI
12.14 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
if we have the sequence

1) blx func
2) add sp, sp, 8
3) b pool_end:
.data pool
pool_end:
4) more code

OSI correctly attempts to choose (3) to be the instruction that will later be replaced with a call, however, we record one higher(4), since it is going to be the return address.  With this recorded, the displacement of (4) is correctly updated with the length of the pool, then we attempt to place a call with (4) as its return address, resulting in a call that can never be executed.

By recording (3), then incrementing to get the return address, we patch the call correctly.
Attachment #608205 - Flags: review?(dvander)
Comment on attachment 608205 [details] [diff] [review]
Record the call site rather than the return site in OSI

Review of attachment 608205 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/shared/CodeGenerator-shared.cpp
@@ +343,5 @@
>      JS_ASSERT(masm.currentOffset() - lastOsiPointOffset_ >= Assembler::patchWrite_NearCallSize());
>      lastOsiPointOffset_ = masm.currentOffset();
>  
> +    *callPointOffset = masm.currentOffset();
> +    static int osiCount = 0;

^- Remember to take this out before checking in.
Attachment #608205 - Flags: review?(dvander) → review+
whoops.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: