Closed Bug 1147353 Opened 5 years ago Closed 5 years ago

Odin: simplify the masked index bounds check test.


(Core :: JavaScript Engine: JIT, defect)

Not set



Tracking Status
firefox39 --- fixed


(Reporter: dougc, Assigned: dougc)



(1 file, 1 obsolete file)

The test of a masked index against the known minimum heap length is overly complex and while the recent update fixes an issue it is still a little too conservative and misses some opportunities.
This code was way too complex, sorry. It just needed to compare the mask to the length and avoid negative indexes when the top bit of the mask is set.
Attachment #8583043 - Flags: review?(sphink)
Comment on attachment 8583043 [details] [diff] [review]
Simplify the masked index bounds check test.

Review of attachment 8583043 [details] [diff] [review]:

Makes sense to me. A slightly different way of stating it is that ANDing the mask with the index can only decrease the mask if it's unsigned, so mask ≤ max => (x & mask) ≤ max since (mask & x) ≤ mask ≤ max. Pretty much the same as what your comment says.

And yet -- I'd rather luke stamp this too, if you don't mind. My paranoia knows no bounds.

::: js/src/asmjs/AsmJSValidate.cpp
@@ +4444,5 @@
>      uint32_t mask2;
>      if (IsLiteralOrConstInt(f, maskNode, &mask2)) {
>          // Flag the access to skip the bounds check if the mask ensures that an 'out of
> +        // bounds' access can not occur based on the current heap length constraint. The
> +        // maxium of a masked index is the mask itself so simply compare the mask to the

Attachment #8583043 - Flags: review?(sphink)
Attachment #8583043 - Flags: review?(luke)
Attachment #8583043 - Flags: review+
(In reply to Steve Fink [:sfink, :s:] from comment #2)
> My paranoia knows no bounds.

Comment on attachment 8583043 [details] [diff] [review]
Simplify the masked index bounds check test.

Much simpler.
Attachment #8583043 - Flags: review?(luke) → review+
Fix the source comment. Carrying forward r+.
Attachment #8583043 - Attachment is obsolete: true
Attachment #8583435 - Flags: review+
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
You need to log in before you can comment on or make changes to this bug.