Closed Bug 1510334 Opened Last year Closed Last year
I and fix register corruption
This patch fixes arguments/args2d.js. In the case of multiplication by small constants, visitMulI() would mutate a register assumed to be unchanged, and then fail to write to the destination register, usually exposing some stack addresses. This isn't a security issue because we don't ship IonMonkey on ARM64.
Attachment #9027947 - Flags: review?(jitbugs)
Attachment #9027947 - Flags: review?(jitbugs) → review?(nicolas.b.pierron)
Rebased on top of Gecko style changes.
Attachment #9028972 - Flags: review?(nicolas.b.pierron) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/beea2dd156f7 Lower LMulI and fix register corruption. Fixes arguments/args2d.js. r=nbp
You need to log in before you can comment on or make changes to this bug.