summaryrefslogtreecommitdiffstats
path: root/libs/wpewebkit/patches/142-JavaScriptCore-RISCV64-BBQJIT-rotate-ctz-impl.patch
blob: 0505704801bada96dbb1e12df58d417448bd2df0 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143

--- a/Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.h
+++ b/Source/JavaScriptCore/assembler/MacroAssemblerRISCV64.h
@@ -582,36 +582,51 @@ public:
 
     void countTrailingZeros32(RegisterID src, RegisterID dest)
     {
-        auto temp = temps<Data>();
-        m_assembler.addiInsn(dest, RISCV64Registers::zero, Imm::I<32>());
+        // Previously used slli (64-bit left shift) on a zero-extended 32-bit
+        // value, looking for temp == 0. That never zeros the value until the
+        // set bits fall off bit 63 — so dest decremented past zero and
+        // returned a negative result for any nonzero src. Use the more
+        // direct "right-shift and test bit 0" loop, which terminates in at
+        // most 32 iterations.
+        auto temp = temps<Data, Memory>();
         m_assembler.zeroExtend<32>(temp.data(), src);
+        m_assembler.addiInsn(dest, RISCV64Registers::zero, Imm::I<32>());
 
-        JumpList zero(makeBranch(Equal, temp.data(), RISCV64Registers::zero));
+        JumpList done(makeBranch(Equal, temp.data(), RISCV64Registers::zero));
+
+        m_assembler.addiInsn(dest, RISCV64Registers::zero, Imm::I<0>());
 
         Label loop = label();
-        m_assembler.slliInsn<1>(temp.data(), temp.data());
-        m_assembler.addiInsn(dest, dest, Imm::I<-1>());
-        zero.append(makeBranch(Equal, temp.data(), RISCV64Registers::zero));
+        m_assembler.andiInsn(temp.memory(), temp.data(), Imm::I<1>());
+        done.append(makeBranch(NotEqual, temp.memory(), RISCV64Registers::zero));
+        m_assembler.srliInsn<1>(temp.data(), temp.data());
+        m_assembler.addiInsn(dest, dest, Imm::I<1>());
         jump().linkTo(loop, this);
 
-        zero.link(this);
+        done.link(this);
     }
 
     void countTrailingZeros64(RegisterID src, RegisterID dest)
     {
-        auto temp = temps<Data>();
-        m_assembler.addiInsn(dest, RISCV64Registers::zero, Imm::I<64>());
+        // Same fix as countTrailingZeros32 for the 64-bit case: scan from
+        // bit 0 upward using right-shift + andi 1, instead of left-shifting
+        // until the value falls off the register.
+        auto temp = temps<Data, Memory>();
         m_assembler.addiInsn(temp.data(), src, Imm::I<0>());
+        m_assembler.addiInsn(dest, RISCV64Registers::zero, Imm::I<64>());
 
-        JumpList zero(makeBranch(Equal, temp.data(), RISCV64Registers::zero));
+        JumpList done(makeBranch(Equal, temp.data(), RISCV64Registers::zero));
+
+        m_assembler.addiInsn(dest, RISCV64Registers::zero, Imm::I<0>());
 
         Label loop = label();
-        m_assembler.slliInsn<1>(temp.data(), temp.data());
-        m_assembler.addiInsn(dest, dest, Imm::I<-1>());
-        zero.append(makeBranch(Equal, temp.data(), RISCV64Registers::zero));
+        m_assembler.andiInsn(temp.memory(), temp.data(), Imm::I<1>());
+        done.append(makeBranch(NotEqual, temp.memory(), RISCV64Registers::zero));
+        m_assembler.srliInsn<1>(temp.data(), temp.data());
+        m_assembler.addiInsn(dest, dest, Imm::I<1>());
         jump().linkTo(loop, this);
 
-        zero.link(this);
+        done.link(this);
     }
 
     void byteSwap16(RegisterID reg)
@@ -844,8 +859,72 @@ public:
         m_assembler.srliInsn(dest, src, uint32_t(imm.m_value & ((1 << 6) - 1)));
     }
 
-    MACRO_ASSEMBLER_RISCV64_TEMPLATED_NOOP_METHOD(rotateRight32);
-    MACRO_ASSEMBLER_RISCV64_TEMPLATED_NOOP_METHOD(rotateRight64);
+    // rotateRight32/64: native rv64gc has no rotate instruction (Zbb's
+    // rorw/ror would do it in one), so synthesise via shift + shift + or.
+    // These are called by BBQJIT's I32Rotl/I32Rotr/I64Rotl/I64Rotr handlers
+    // on every non-x86 path (the rotl variants are routed through
+    // rotateRight32 with a negated shift, so a broken or missing
+    // rotateRight* silently miscompiles both rotr and rotl).
+    void rotateRight32(RegisterID src, TrustedImm32 imm, RegisterID dest)
+    {
+        int32_t shift = imm.m_value & 31;
+        if (!shift) {
+            if (src != dest)
+                move(src, dest);
+            m_assembler.maskRegister<32>(dest);
+            return;
+        }
+        auto temp = temps<Data, Memory>();
+        m_assembler.srliwInsn(temp.data(), src, uint32_t(shift));
+        m_assembler.slliwInsn(temp.memory(), src, uint32_t(32 - shift));
+        m_assembler.orInsn(dest, temp.data(), temp.memory());
+        m_assembler.maskRegister<32>(dest);
+    }
+
+    void rotateRight32(RegisterID src, RegisterID shift, RegisterID dest)
+    {
+        auto temp = temps<Data, Memory>();
+        m_assembler.addiInsn(temp.data(), RISCV64Registers::zero, Imm::I<32>());
+        m_assembler.subInsn(temp.data(), temp.data(), shift);
+        m_assembler.srlwInsn(temp.memory(), src, shift);
+        m_assembler.sllwInsn(temp.data(), src, temp.data());
+        m_assembler.orInsn(dest, temp.memory(), temp.data());
+        m_assembler.maskRegister<32>(dest);
+    }
+
+    void rotateRight64(RegisterID src, TrustedImm32 imm, RegisterID dest)
+    {
+        int32_t shift = imm.m_value & 63;
+        if (!shift) {
+            if (src != dest)
+                move(src, dest);
+            return;
+        }
+        auto temp = temps<Data, Memory>();
+        m_assembler.srliInsn(temp.data(), src, uint32_t(shift));
+        m_assembler.slliInsn(temp.memory(), src, uint32_t(64 - shift));
+        m_assembler.orInsn(dest, temp.data(), temp.memory());
+    }
+
+    void rotateRight64(RegisterID src, RegisterID shift, RegisterID dest)
+    {
+        auto temp = temps<Data, Memory>();
+        m_assembler.addiInsn(temp.data(), RISCV64Registers::zero, Imm::I<64>());
+        m_assembler.subInsn(temp.data(), temp.data(), shift);
+        m_assembler.srlInsn(temp.memory(), src, shift);
+        m_assembler.sllInsn(temp.data(), src, temp.data());
+        m_assembler.orInsn(dest, temp.memory(), temp.data());
+    }
+
+    // Two-operand in-place variants used by MacroAssembler.h convenience
+    // wrappers (e.g. urshiftPtr / rolPtr / FastRotation::apply). These were
+    // matched by the previous templated NOOP overload and silently did
+    // nothing; forward to the three-operand form so callers see the real
+    // rotate.
+    void rotateRight32(TrustedImm32 imm, RegisterID srcDst) { rotateRight32(srcDst, imm, srcDst); }
+    void rotateRight64(TrustedImm32 imm, RegisterID srcDst) { rotateRight64(srcDst, imm, srcDst); }
+    void rotateRight32(RegisterID shift, RegisterID srcDst) { rotateRight32(srcDst, shift, srcDst); }
+    void rotateRight64(RegisterID shift, RegisterID srcDst) { rotateRight64(srcDst, shift, srcDst); }
 
     // Scalar BBQJIT primitives: fused shift/add and rotate-left, used by the
     // wasm bytecode-to-machine-code path. RISC-V's baseline rv64gc has no
generated by cgit v1.2.3 (git 2.46.0) at 2026-06-14 01:37:20 +0000