Fix JIT branch patching bugs on Apple Silicon

jserv · jserv · commit 0e4850e6a918 · 2025-10-07T04:44:57.000+08:00
This resolves critical bugs in update_branch_imm causing intermittent
test failures (~13-20% failure rate) on macOS/Arm64:
1. MAP_JIT memory corruption: Reading MAP_JIT memory while in write mode
   returns corrupted data on Apple Silicon. Fixed by moving
   pthread_jit_write_protect_np(false) to after the read operation.
2. Branch offset bit accumulation: When branches are patched multiple
   times, old offset bits were not cleared before OR-ing new values.
   Added bit masking to clear old offsets before setting new ones.
diff --git a/src/jit.c b/src/jit.c
@@ -595,24 +595,27 @@ static void update_branch_imm(struct jit_state *state,
     uint32_t insn;
     imm >>= 2;
     rv_log_debug("JIT: Patching branch at offset=%u, imm=%d", offset, imm * 4);
-#if defined(__APPLE__) && defined(__aarch64__)
-    /* Must be in write mode to read/write MAP_JIT memory on Apple ARM64 */
-    pthread_jit_write_protect_np(false);
-#endif
+    /* Read instruction while in execute mode (MAP_JIT requirement) */
     memcpy(&insn, state->buf + offset, sizeof(uint32_t));
     if ((insn & 0xfe000000U) == 0x54000000U /* Conditional branch immediate. */
         || (insn & 0x7e000000U) ==
                0x34000000U) { /* Compare and branch immediate. */
         assert((imm >> 19) == INT64_C(-1) || (imm >> 19) == 0);
+        insn &= ~(0x7ffffU << 5);  /* Clear old offset bits */
         insn |= (imm & 0x7ffff) << 5;
     } else if ((insn & 0x7c000000U) == 0x14000000U) {
         /* Unconditional branch immediate.  */
         assert((imm >> 26) == INT64_C(-1) || (imm >> 26) == 0);
+        insn &= ~0x03ffffffU;  /* Clear old offset bits */
         insn |= (imm & 0x03ffffffU) << 0;
     } else {
         assert(false);
         insn = BAD_OPCODE;
     }
+#if defined(__APPLE__) && defined(__aarch64__)
+    /* Switch to write mode only for writing */
+    pthread_jit_write_protect_np(false);
+#endif
     memcpy(state->buf + offset, &insn, sizeof(uint32_t));
     sys_icache_invalidate(state->buf + offset, sizeof(uint32_t));
 #if defined(__APPLE__) && defined(__aarch64__)
