Closed Bug 589714 Opened 14 years ago Closed 14 years ago

JM: Some math operations don't load from backing stores

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dvander, Assigned: dvander)

References

Details

Attachments

(1 file, 2 obsolete files)

fix v2, correct patch
3.83 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
Reduced test case is in the patch, and is most of the failures on the Stanford Crypto Library test suite. The bug is in the integer overflow path for ADD, SUB, and MUL. Sometimes the result register overlaps with an input data register. To rematerialize the input, a load is required.

However it used frame.addressOf(), which really must be used with extreme care when loads are involved. It will return the raw address of a copy, rather than following the copy to its backing store. The copy was not synced, so it was reading garbage.

This affected a few other uses of addressOf() as well. The attached patch introduces a version that follows copies and asserts a sync()'d state.
Attached patch fix (obsolete) — Splinter Review 

        Attachment #468212 -
        Flags: review?(dmandelin)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fix v2 (obsolete)
        — Splinter Review
      

    


  
SJCL tests pass with this.

        Attachment #468212 -
        Attachment is obsolete: true

        Attachment #468241 -
        Flags: review?(dmandelin)

        Attachment #468212 -
        Flags: review?(dmandelin)

    
    

    
  


  

        Attachment #468241 -
        Attachment is obsolete: true

        Attachment #468328 -
        Flags: review?(dmandelin)

        Attachment #468241 -
        Flags: review?(dmandelin)

    
    

    
  
Comment on attachment 468328 [details] [diff] [review]
fix v2, correct patch

Thanks for the excellent explanation of the cause and the workings of the fix!

        Attachment #468328 -
        Flags: review?(dmandelin) → review+

    
    

    
  
http://hg.mozilla.org/projects/jaegermonkey/rev/c923a0329e02
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: