Closed Bug 540580 Opened 14 years ago Closed 14 years ago

atomMaxIntValue and atomMinIntValue are apparently incorrect (and the latter unused)

Categories

(Tamarin Graveyard :: Virtual Machine, defect, P3)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Q3 11 - Serrano

People

(Reporter: lhansen, Assigned: lhansen)

Details

Attachments

(1 file)

Patch
2.74 KB, patch
stejohns
: review+
Details | Diff | Splinter Review 
atom.h:155: 

#ifdef AVMPLUS_64BIT
    // in 64-bit builds, integer atoms can hold a 53-bit signed value.
    // (this is so that integer values can be interchanged with doubles
    // with no loss of precision)
    const intptr_t atomMinIntValue = -(1LL<<53);
    const intptr_t atomMaxIntValue = (1LL<<53)-1;
#else
    // in 32-bit builds, integer atoms can hold a 29-bit signed value.
    const intptr_t atomMinIntValue = -(1L<<29);
    const intptr_t atomMaxIntValue = (1L<<29)-1;
#endif

The 32-bit values are incorrect.  It is correct that at atom can hold a 29-bit signed value, but the range is then -2^28..2^28-1, while 1L<<29 is 2^29.

The 64-bit values are apparently correct, but only because the double representation is sign+magnitude so we technically have a 54-bit signed number (as the values reveal).

atomMinIntValue is not used anywhere in the VM.

atomMaxIntValue is only used in ::atomIsValidIntptrValue_u(), where it is shifted in such a way that the erroneous value doesn't matter, but it's not quite clear to me why that's going on except possibly to work around the problem with the value of the constant being too large.

Are these constants used externally to the VM, ie, is this a public API?
Good catch. AFAIK these values are not used (or intended to be used) external to the VM itself. I'll do some grepping to verify. In the meantime, let's fix the values here (and add your comments expanding about how the values are derived).
Flags: flashplayer-qrb+
Priority: -- → P3
Target Milestone: --- → flash10.2
Assignee: nobody → lhansen
Neither name is referenced in the player source code (frr-argo).
Another bug here is the shift used for 64-bit values in atomIsValidIntptrValue, it should be 10, not 8.  (The function operates on untagged values, which have 54 bits of precision including the sign.)
Attached patch PatchSplinter Review 

        Attachment #437966 -
        Flags: review?(stejohns)

    
  

        Attachment #437966 -
        Flags: review?(stejohns) → review+

    
    

    
  
tamarin-redux changeset:   4362:87ad0ab7b931
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
There is a tiny bug here in the 64-bit case because a sign+magnitude representation has a range from -(2^(n-1)-1) to 2(n-1)-1.  The bug is not important because that value is not currently being used in the code, it is there for completeness.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
tamarin-redux changeset:   4367:07fe671debf0
Status: REOPENED → RESOLVED
Closed: 14 years ago14 years ago
Resolution: --- → FIXED

    
  
Flags: flashplayer-bug+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: