Closed Bug 1510334 Opened Last year Closed Last year

Lower LMulI and fix register corruption

Categories

(Core :: JavaScript Engine: JIT, enhancement, P2)

ARM64
All
enhancement

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox65 --- fixed

People

(Reporter: sstangl, Assigned: sstangl)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

This patch fixes arguments/args2d.js.

In the case of multiplication by small constants, visitMulI() would mutate a register assumed to be unchanged, and then fail to write to the destination register, usually exposing some stack addresses.

This isn't a security issue because we don't ship IonMonkey on ARM64.
Attachment #9027947 - Flags: review?(jitbugs)
Priority: -- → P2
Attachment #9027947 - Flags: review?(jitbugs) → review?(nicolas.b.pierron)
Rebased on top of Gecko style changes.
Attachment #9027947 - Attachment is obsolete: true
Attachment #9027947 - Flags: review?(nicolas.b.pierron)
Attachment #9028972 - Flags: review?(nicolas.b.pierron)
Attachment #9027947 - Attachment is obsolete: false
Attachment #9027947 - Attachment is obsolete: true
Attachment #9028972 - Flags: review?(nicolas.b.pierron) → review+
Keywords: checkin-needed
Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/beea2dd156f7
Lower LMulI and fix register corruption. Fixes arguments/args2d.js. r=nbp
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/beea2dd156f7
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.