Modified: trunk/Source/_javascript_Core/ChangeLog (90730 => 90731)
--- trunk/Source/_javascript_Core/ChangeLog 2011-07-11 09:33:07 UTC (rev 90730)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-07-11 10:31:20 UTC (rev 90731)
@@ -1,3 +1,19 @@
+2011-07-11 Gabor Loki <l...@webkit.org>
+
+ Signed arithmetic bug in dataTransfer32.
+ https://bugs.webkit.org/show_bug.cgi?id=64257
+
+ Reviewed by Zoltan Herczeg.
+
+ An arithmetic bug is fixed. If the offset of dataTransfer is half of the
+ addressable memory space on a 32-bit machine (-2147483648 = 0x80000000)
+ a load instruction is emitted with a wrong zero offset.
+
+ Inspired by Jacob Bramley's patch from JaegerMonkey.
+
+ * assembler/ARMAssembler.cpp:
+ (JSC::ARMAssembler::dataTransfer32):
+
2011-07-09 Thouraya Andolsi <thouraya.ando...@st.com>
Fix unaligned userspace access for SH4 platforms.
Modified: trunk/Source/_javascript_Core/assembler/ARMAssembler.cpp (90730 => 90731)
--- trunk/Source/_javascript_Core/assembler/ARMAssembler.cpp 2011-07-11 09:33:07 UTC (rev 90730)
+++ trunk/Source/_javascript_Core/assembler/ARMAssembler.cpp 2011-07-11 10:31:20 UTC (rev 90731)
@@ -276,15 +276,14 @@
dtr_ur(isLoad, srcDst, base, ARMRegisters::S0 | transferFlag);
}
} else {
- offset = -offset;
- if (offset <= 0xfff)
- dtr_d(isLoad, srcDst, base, offset | transferFlag);
- else if (offset <= 0xfffff) {
- sub_r(ARMRegisters::S0, base, OP2_IMM | (offset >> 12) | (10 << 8));
- dtr_d(isLoad, srcDst, ARMRegisters::S0, (offset & 0xfff) | transferFlag);
+ if (offset >= -0xfff)
+ dtr_d(isLoad, srcDst, base, -offset | transferFlag);
+ else if (offset >= -0xfffff) {
+ sub_r(ARMRegisters::S0, base, OP2_IMM | (-offset >> 12) | (10 << 8));
+ dtr_d(isLoad, srcDst, ARMRegisters::S0, (-offset & 0xfff) | transferFlag);
} else {
moveImm(offset, ARMRegisters::S0);
- dtr_dr(isLoad, srcDst, base, ARMRegisters::S0 | transferFlag);
+ dtr_ur(isLoad, srcDst, base, ARMRegisters::S0 | transferFlag);
}
}
}
