Closed
Bug 519805
Opened 15 years ago
Closed 15 years ago
TM: arm fails if sti/stqi have displacements > 12 bits [nanojit]
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta3-fixed |
status1.9.1 | --- | ? |
People
(Reporter: gal, Assigned: gal)
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 4 obsolete files)
462 bytes,
patch
|
Details | Diff | Splinter Review | |
5.87 KB,
patch
|
graydon
:
review+
|
Details | Diff | Splinter Review |
This might affect loads too. As per discussion with Ed the frontend should check what the permissible maximum displacement is (which the backend exports as a symbol) and then split up the store into a sti(add(base, disp), 0). This could be done in the LirWriter. We already have a bunch of helpers there that do similar things.
Assignee | ||
Comment 1•15 years ago
|
||
Ed points out that we have to make sure that constant folding doesn't generate too large displacements again after we split them.
Assignee | ||
Updated•15 years ago
|
Summary: TM: arm fails if sti/stqi have displacements > 12 bits → TM: arm fails if sti/stqi have displacements > 12 bits [nanojit]
Comment 2•15 years ago
|
||
If we're right about the consequences of this, it should be security-sensitive.
Group: core-security
Comment 3•15 years ago
|
||
Is there a wallpaper/band-aid approach on this that can correct our issue on ARM Windows Mobile until a proper solution is offered?
Comment 4•15 years ago
|
||
Gal proposed this as a testcase for this issue, but I am not able to hit the same assertion (or any crash, for that matter), running this testcase: for (var i = 0; i < 1950; ++i) this["x" + i] = 1; for (var j = 0; j < 10; ++j) ;
Comment 5•15 years ago
|
||
This patch is by no means "the patch", but it fixes the assertion on WINCE, perhaps "the patch" for now is to simply ifdef WINCE this?
Comment 6•15 years ago
|
||
Errr, woops. 512, not 2048 (was playing w/ other sizes, but 512 is the only one that works).
Comment 7•15 years ago
|
||
Attachment #404075 -
Attachment is obsolete: true
Assignee | ||
Updated•15 years ago
|
Assignee: general → gal
Flags: blocking1.9.2?
Assignee | ||
Comment 8•15 years ago
|
||
Assignee | ||
Comment 9•15 years ago
|
||
Attachment #404364 -
Attachment is obsolete: true
Assignee | ||
Comment 10•15 years ago
|
||
Attachment #404376 -
Attachment is obsolete: true
Attachment #404378 -
Flags: review?(graydon)
Assignee | ||
Comment 11•15 years ago
|
||
Attachment #404378 -
Attachment is obsolete: true
Attachment #404379 -
Flags: review?(graydon)
Attachment #404378 -
Flags: review?(graydon)
Comment 12•15 years ago
|
||
Comment on attachment 404379 [details] [diff] [review] patch good enough, thanks.
Attachment #404379 -
Flags: review?(graydon) → review+
Assignee | ||
Comment 13•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/102a83c28bd0
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 14•15 years ago
|
||
Why is this bug hidden? We have never shipped an ARM product, have we?
Assignee | ||
Updated•15 years ago
|
tracking-fennec: --- → ?
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → ARM
Comment 15•15 years ago
|
||
I dunno, I figured it might be on at least a few thousand phones, etc., but perhaps I am overly optimistic. (or pessimistic) Feel free to open it, if you like.
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Assignee | ||
Comment 16•15 years ago
|
||
I recommend opening up the bug. Usually someone from the security group makes that call though so cc'ing Jesse.
Assignee | ||
Comment 17•15 years ago
|
||
Follow-up fix for ARM. http://hg.mozilla.org/tracemonkey/rev/9adc8fa19990
Comment 18•15 years ago
|
||
> I recommend opening up the bug.
Are there any nightly or beta users on ARM? If there are, we should be nice to them and hold bugs private until they've had a chance to update.
Comment 19•15 years ago
|
||
yea, we have maemo users on beta and winmo users on alpha. Both also have nightly users without a working update channel.
Comment 20•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/102a83c28bd0
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 21•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/635bba671d90
status1.9.2:
--- → final-fixed
Comment 22•15 years ago
|
||
Does this bug affect the 1.9.1 branch, and if so would we bother to fix it there? If not we can probably unhide this bug now.
status1.9.1:
--- → ?
Updated•13 years ago
|
Group: core-security
Updated•11 years ago
|
tracking-fennec: ? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•