Closed
Bug 1156914
Opened 9 years ago
Closed 9 years ago
MacroAssembler::pushValue(const Address&) is a footgun on 32 bit systems
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla41
| Tracking | Status | |
|---|---|---|
| firefox41 | --- | fixed |
People
(Reporter: efaust, Unassigned)
Details
Attachments
(1 file)
|
3.56 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
On ARM, it asserts that the base is not the stack pointer, which makes sense, since it has to push the value in two instructions, and the address passed will be invalidated. There is no such assertion on X86. The result is simply bogus. Fix it up so that they both work properly.
Attachment #8595495 -
Flags: review?(jdemooij)
|
||
Comment 1•9 years ago
|
||
Comment on attachment 8595495 [details] [diff] [review] Fix Review of attachment 8595495 [details] [diff] [review]: ----------------------------------------------------------------- Another footgun gone, nice. ::: js/src/jit/arm/MacroAssembler-arm.h @@ +59,5 @@ > + Register baseReg = Register::FromCode(base.base()); > + // If we are based on StackPointer, pass over the type tag just pushed. > + if (baseReg == StackPointer) > + return Operand(Regsiter::FromCode(base.base()), base.disp() + sizeof(void*)); > + else Nit: Register (typo) and rm else-after-return ::: js/src/jit/x86/MacroAssembler-x86.h @@ +72,5 @@ > + // first push. > + if (addr.base == StackPointer) > + return Operand(address.base, address.offset + 4); > + else > + return payloadOf(address); Nit: some trailing whitespace and remove the else-after-return
Attachment #8595495 -
Flags: review?(jdemooij) → review+
|
||
Comment 6•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b857aea3b490
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox41:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
You need to log in
before you can comment on or make changes to this bug.
Description
•