fix JSCore segmentation fault on 64-bit big endian systems

Origin: backport, https://github.com/webkit/webkit/commit/3fdde71c7d95d758
Reviewed-by: Frank Heimes <frank.heimes@canonical.com>
Last-Update: 2021-11-24

In CodeBlock.cpp the code preparing the operands of op_get_from_scope writes
the property offset as pointer size (hence 64 bit) value:

2141: instructions[i + 6].u.pointer = reinterpret_cast<void*>(op.operand);

while the same slot is accessed later by the jitted code as 32 bit integer:

macro getProperty(slow)
   loadisFromInstruction(6, t1)

This fails on big endian targets since the integer access takes the higher
part of the 64 bit value.

Gbp-Pq: Name jscore_big_endian.diff

diff --git a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
index 4b3febb3f589704b90352fee5f7ee5df153fc737..2ba7dba5dcd4934468eb2a2db22490b52e4d9086 100644 (file)
--- a/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
+++ b/Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
@@ -2020,7 +2020,7 @@ macro loadWithStructureCheck(operand, slowPath)
 end
 
 macro getProperty(slow)
-    loadisFromInstruction(6, t1)
+    loadpFromInstruction(6, t1)
     loadPropertyAtVariableOffset(t1, t0, t2, slow)
     valueProfile(t2, 7, t0)
     loadisFromInstruction(1, t0)