Closed Bug 519805 Opened 15 years ago Closed 15 years ago

TM: arm fails if sti/stqi have displacements > 12 bits [nanojit]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
All
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta3-fixed
status1.9.1 --- ?

People

(Reporter: gal, Assigned: gal)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 4 obsolete files)

hg qref BEFORE uploading the patch next time.
462 bytes, patch
Details | Diff | Splinter Review
patch
5.87 KB, patch
graydon
: review+
Details | Diff | Splinter Review 
This might affect loads too. As per discussion with Ed the frontend should check what the permissible maximum displacement is (which the backend exports as a symbol) and then split up the store into a sti(add(base, disp), 0). This could be done in the LirWriter. We already have a bunch of helpers there that do similar things.
Ed points out that we have to make sure that constant folding doesn't generate too large displacements again after we split them.
Summary: TM: arm fails if sti/stqi have displacements > 12 bits → TM: arm fails if sti/stqi have displacements > 12 bits [nanojit]
If we're right about the consequences of this, it should be security-sensitive.
Group: core-security
Is there a wallpaper/band-aid approach on this that can correct our issue on ARM Windows Mobile until a proper solution is offered?
Gal proposed this as a testcase for this issue, but I am not able to hit the same assertion (or any crash, for that matter), running this testcase:

for (var i = 0; i < 1950; ++i)
    this["x" + i] = 1;
for (var j = 0; j < 10; ++j)
    ;
Attached patch fixes the assert on WINCE (obsolete) — Splinter Review 
This patch is by no means "the patch", but it fixes the assertion on WINCE, perhaps "the patch" for now is to simply ifdef WINCE this?
Errr, woops.  512, not 2048 (was playing w/ other sizes, but 512 is the only one that works).

        Attachment #404075 -
        Attachment is obsolete: true

    
  
Assignee: general → gal
Flags: blocking1.9.2?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #404364 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #404376 -
        Attachment is obsolete: true

        Attachment #404378 -
        Flags: review?(graydon)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #404378 -
        Attachment is obsolete: true

        Attachment #404379 -
        Flags: review?(graydon)

        Attachment #404378 -
        Flags: review?(graydon)

    
    

    
  
Comment on attachment 404379 [details] [diff] [review]
patch

good enough, thanks.

        Attachment #404379 -
        Flags: review?(graydon) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/102a83c28bd0
Whiteboard: fixed-in-tracemonkey

    
    

    
  
Why is this bug hidden? We have never shipped an ARM product, have we?

    
  
tracking-fennec: --- → ?
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → ARM

    
    

    
  
I dunno, I figured it might be on at least a few thousand phones, etc., but perhaps I am overly optimistic.  (or pessimistic)  Feel free to open it, if you like.

    
  
Flags: blocking1.9.2? → blocking1.9.2+

    
    

    
  
I recommend opening up the bug. Usually someone from the security group makes that call though so cc'ing Jesse.

    
    

    
  
> I recommend opening up the bug.

Are there any nightly or beta users on ARM?  If there are, we should be nice to them and hold bugs private until they've had a chance to update.

    
    

    
  
yea, we have maemo users on beta and winmo users on alpha.  Both also have nightly users without a working update channel.

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/102a83c28bd0
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Does this bug affect the 1.9.1 branch, and if so would we bother to fix it there? If not we can probably unhide this bug now.

          status1.9.1:
          --- → ?
Group: core-security
tracking-fennec: ? → ---

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: