Closed Bug 1019413 Opened 10 years ago Closed 10 years ago

IonMonkey: do not apply actualOffset() to the safepoint stream offsets.

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla32

Tracking Flags:

Tracking

Status

firefox29

---

wontfix

firefox30

---

wontfix

firefox31

---

fixed

firefox32

---

fixed

firefox-esr24

---

wontfix

People

(Reporter: dougc, Assigned: dougc)

References

Details

(Whiteboard: [qa-] )

Attachments

(1 file)

Do not apply actualOffset() to the safepoint stream offsets. 10 years ago Douglas Crosher [:dougc] 972 bytes, patch	jandem : review+ nbp : review+ Sylvestre : approval-mozilla-aurora+ lsblakk : approval-mozilla-beta-	Details \| Diff \| Splinter Review

Douglas Crosher [:dougc]

Assignee

Description

•

10 years ago

The actualOffset() method is for converting assembler buffer offsets to their final position and is not relevant to the safepoint stream offsets and it could corrupt these offsets.

Douglas Crosher [:dougc]

Assignee

Comment 1

•

10 years ago

Attached patch Do not apply actualOffset() to the safepoint stream offsets. — Details — Splinter Review

Assignee: nobody → dtc-moz

Attachment #8433286 - Flags: review?(jdemooij)

Jan de Mooij [:jandem]

Comment 2

•

10 years ago

Comment on attachment 8433286 [details] [diff] [review]
Do not apply actualOffset() to the safepoint stream offsets.

Review of attachment 8433286 [details] [diff] [review]:
-----------------------------------------------------------------

Awesome. I'm surprised the fuzzers didn't hit this yet.

Attachment #8433286 - Flags: review?(jdemooij) → review+

Douglas Crosher [:dougc]

Assignee

Updated

•

10 years ago

Keywords: checkin-needed

Douglas Crosher [:dougc]

Assignee

Comment 3

•

10 years ago

Comment on attachment 8433286 [details] [diff] [review]
Do not apply actualOffset() to the safepoint stream offsets.

[Approval Request Comment]

Bug caused by (feature/regressing bug #): This is a long standing bug. The last change to this code was some renaming in bug 726236.

User impact if declined: This has not caused any reported crashes, but it is incorrect code and there might be potential for a crash.

Testing completed (on m-c, etc.): passes jit-tests locally. Corrects an issue in extended testing.

Risk to taking this patch (and alternatives if risky): low.

String or IDL/UUID changes made by this patch: n/a

Attachment #8433286 - Flags: approval-mozilla-beta?

Attachment #8433286 - Flags: approval-mozilla-aurora?

Nicolas B. Pierron [:nbp]

Comment 4

•

10 years ago

Comment on attachment 8433286 [details] [diff] [review]
Do not apply actualOffset() to the safepoint stream offsets.

Review of attachment 8433286 [details] [diff] [review]:
-----------------------------------------------------------------

I confirm this patch is good, as the safepointOffset is coming from the CompactBuffer[1,2,3,4] and not the assembly buffer.
We *should* backport this patch to all branches.

[1] http://dxr.mozilla.org/mozilla-central/source/js/src/jit/Safepoints.h?from=SafepointWriter&case=true#23
[2] http://dxr.mozilla.org/mozilla-central/source/js/src/jit/Safepoints.cpp#31
[3] http://dxr.mozilla.org/mozilla-central/source/js/src/jit/Safepoints.cpp#320
[4] http://dxr.mozilla.org/mozilla-central/source/js/src/jit/LIR.h#1404

Attachment #8433286 - Flags: review+

Nicolas B. Pierron [:nbp]

Comment 5

•

10 years ago

(In reply to Nicolas B. Pierron [:nbp] from comment #4)
> We *should* backport this patch to all branches.

Note, this mostly matters for ARM, as the fixup is a no-op on x86 / x64 architectures.

status-firefox29: --- → affected

status-firefox30: --- → affected

status-firefox31: --- → affected

status-firefox32: --- → affected

status-firefox-esr24: --- → affected

Ryan VanderMeulen [:RyanVM]

Comment 6

•

10 years ago

Do we have a Try link for this? :)

Keywords: checkin-needed

Nicolas B. Pierron [:nbp]

Comment 7

•

10 years ago

(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #6)
> Do we have a Try link for this? :)

Now, we do:
https://tbpl.mozilla.org/?tree=Try&rev=9e217cf9f02a

Sylvestre Ledru [:Sylvestre]

Comment 8

•

10 years ago

Wont fix for 29 and ESR (not a security issue). I guess this is going to have the same fate for 30.

status-firefox29: affected → wontfix

status-firefox-esr24: affected → wontfix

Sylvestre Ledru [:Sylvestre]

Comment 9

•

10 years ago

Idem for 30.

status-firefox30: affected → wontfix

Lukas Blakk [:lsblakk] use ?needinfo

Updated

•

10 years ago

Attachment #8433286 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Lukas Blakk [:lsblakk] use ?needinfo

Comment 10

•

10 years ago

Comment on attachment 8433286 [details] [diff] [review]
Do not apply actualOffset() to the safepoint stream offsets.

wrong way - meant to '-' for beta.

Attachment #8433286 - Flags: approval-mozilla-beta+ → approval-mozilla-beta-

Benjamin Bouvier [:bbouvier] (inactive)

Comment 11

•

10 years ago

See also comment 7 for try link (all oranges seem unrelated).

Keywords: checkin-needed

Carsten Book [:Tomcat]

Comment 12

•

10 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/766912d43305

Ryan VanderMeulen [:RyanVM]

Updated

•

10 years ago

Keywords: checkin-needed

Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)

Comment 13

•

10 years ago

https://hg.mozilla.org/mozilla-central/rev/766912d43305

Status: NEW → RESOLVED

Closed: 10 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla32

Sylvestre Ledru [:Sylvestre]

Updated

•

10 years ago

Attachment #8433286 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

Ryan VanderMeulen [:RyanVM]

Comment 14

•

10 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/143f7c2f05df

status-firefox31: affected → fixed

status-firefox32: affected → fixed

Liz Henry (:lizzard) (relman/hg->git project)

Updated

•

10 years ago

Whiteboard: [qa-]

You need to log in before you can comment on or make changes to this bug.