Closed Bug 1330330 Opened 7 years ago Closed 7 years ago

MacroAssemblerX64::handleFailureWithHandlerTail load a 32 bits value as 64 bits.

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla54
Tracking Flags:
Tracking Status
firefox54 --- fixed

People

(Reporter: nbp, Assigned: h4writer, Mentored)

Details

Attachments

(1 file)

Patch
1.05 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
The issue is located here:

http://searchfox.org/mozilla-central/rev/225ab0637ed51b8b3f9f4ee2f9c339a37a65b626/js/src/jit/x64/MacroAssembler-x64.cpp#314

We should do a load32 instead of loadPtr, as ResumeFromException::kind is only 4 bytes long.

Fortunately, this is not a security issue as the only uses are in the branch32 functions.
Priority: -- → P1
Attached patch PatchSplinter Review 
Assignee: nobody → hv1989

        Attachment #8830253 -
        Flags: review?(nicolas.b.pierron)

    
  

        Attachment #8830253 -
        Flags: review?(nicolas.b.pierron) → review+

    
    

    
  
Pushed by hv1989@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/30581ce4c956
IonMonkey: Only load 32bits for ResumeFromException::kind instead of 64bits on x64, r=nbp

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/30581ce4c956
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox54:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: