Closed
Bug 589714
Opened 14 years ago
Closed 14 years ago
JM: Some math operations don't load from backing stores
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dvander, Assigned: dvander)
References
Details
Attachments
(1 file, 2 obsolete files)
3.83 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
Reduced test case is in the patch, and is most of the failures on the Stanford Crypto Library test suite. The bug is in the integer overflow path for ADD, SUB, and MUL. Sometimes the result register overlaps with an input data register. To rematerialize the input, a load is required. However it used frame.addressOf(), which really must be used with extreme care when loads are involved. It will return the raw address of a copy, rather than following the copy to its backing store. The copy was not synced, so it was reading garbage. This affected a few other uses of addressOf() as well. The attached patch introduces a version that follows copies and asserts a sync()'d state.
Assignee | ||
Comment 1•14 years ago
|
||
Attachment #468212 -
Flags: review?(dmandelin)
Assignee | ||
Comment 2•14 years ago
|
||
SJCL tests pass with this.
Attachment #468212 -
Attachment is obsolete: true
Attachment #468241 -
Flags: review?(dmandelin)
Attachment #468212 -
Flags: review?(dmandelin)
Assignee | ||
Comment 3•14 years ago
|
||
Attachment #468241 -
Attachment is obsolete: true
Attachment #468328 -
Flags: review?(dmandelin)
Attachment #468241 -
Flags: review?(dmandelin)
Comment 4•14 years ago
|
||
Comment on attachment 468328 [details] [diff] [review] fix v2, correct patch Thanks for the excellent explanation of the cause and the workings of the fix!
Attachment #468328 -
Flags: review?(dmandelin) → review+
Assignee | ||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/projects/jaegermonkey/rev/c923a0329e02
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•