Closed Bug 1523558 Opened 6 years ago Closed 6 years ago

VMFunction::returnsData() tests for incorrect return-type

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla67

Tracking Flags:

Tracking

Status

firefox-esr60

66+

fixed

firefox65

---

wontfix

firefox66

fixed

firefox67

fixed

People

(Reporter: anba, Assigned: anba)

References

Details

Attachments

(1 file)

bug1523558.patch 6 years ago André Bargull [:anba] 1.09 KB, patch	nbp : review+ lizzard : approval-mozilla-beta+ RyanVM : approval-mozilla-esr60+	Details \| Diff \| Splinter Review

André Bargull [:anba]

Assignee

Description

•

6 years ago

The returnType == Type_Pointer condition in this test can never be true, because returnType is required to be either Type_Void, Type_Bool, or Type_Object. I assume the correct test is to check for Type_Object in VMFunction::returnsData().

André Bargull [:anba]

Assignee

Comment 1

•

6 years ago

Attached patch bug1523558.patch — Details — Splinter Review

I hope I get a carte blanche for any performance regressions which might happen here, just like happened for the initial issue at bug 1444856 comment 2.

Attachment #9039751 - Flags: review?(nicolas.b.pierron)

Nicolas B. Pierron [:nbp]

Comment 2

•

6 years ago

Comment on attachment 9039751 [details] [diff] [review] bug1523558.patch Review of attachment 9039751 [details] [diff] [review]: ----------------------------------------------------------------- (In reply to André Bargull [:anba] from comment #1) > I hope I get a carte blanche for any performance regressions which might happen here, just like happened for the initial issue at bug 1444856 comment 2. Yes. We should probably backport these changes too.

Attachment #9039751 - Flags: review?(nicolas.b.pierron) → review+

André Bargull [:anba]

Assignee

Updated

•

6 years ago

Keywords: checkin-needed

André Bargull [:anba]

Assignee

Comment 3

•

6 years ago

Comment on attachment 9039751 [details] [diff] [review]
bug1523558.patch

Beta/Release Uplift Approval Request

Feature/Bug causing the regression

Bug 1438886

User impact if declined

Incomplete Spectre mitigation after execution of C++ calls, cf. bug 1438886.

Is this code covered by automated tests?

Yes

Has the fix been verified in Nightly?

Needs manual test from QE?

If yes, steps to reproduce

List of other uplifts needed

None

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

The change is non-risky, because it only ensures a speculation barrier (lfence on x86, csdb on ARM) is emitted. It may lead to a performance regression, though.

String changes made/needed

None.

ESR Uplift Approval Request

If this is not a sec:{high,crit} bug, please state case for ESR consideration

Incomplete Spectre mitigation after execution of C++ calls, cf. bug 1438886.

User impact if declined

See Beta approval.

Fix Landed on Version

66/67

Risk to taking this patch

Low

Why is the change risky/not risky? (and alternatives if risky)

See Beta approval.

String or UUID changes made by this patch

None.

Attachment #9039751 - Flags: approval-mozilla-esr60?

Attachment #9039751 - Flags: approval-mozilla-beta?

Cosmin Sabou [:CosminS]

Comment 4

•

6 years ago

Andre, do you need this landed on inbound also?

Flags: needinfo?(andrebargull)

André Bargull [:anba]

Assignee

Comment 5

•

6 years ago

(In reply to Cosmin Sabou [:CosminS] from comment #4)

Andre, do you need this landed on inbound also?

Yes, first on inbound, please. (And after the Beta/ESR requests are approved also there.)

Flags: needinfo?(andrebargull)

Pulsebot

Comment 6

•

6 years ago

Pushed by opoprus@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/74d7d41da9e4
Fix test condition in VMFunction::returnsData(). r=nbp

Keywords: checkin-needed

Stefan Hindli [:stefan_hindli]

Comment 7

•

6 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/74d7d41da9e4

Status: ASSIGNED → RESOLVED

Closed: 6 years ago

status-firefox67: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla67

Liz Henry (:lizzard) (relman/hg->git project)

Updated

•

6 years ago

status-firefox65: --- → affected

status-firefox66: --- → affected

status-firefox-esr60: --- → affected

Liz Henry (:lizzard) (relman/hg->git project)

Comment 8

•

6 years ago

Comment on attachment 9039751 [details] [diff] [review] bug1523558.patch Spectre mitigation, ok for uplift to beta 4.

Attachment #9039751 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 9

•

6 years ago

bugherder uplift

https://hg.mozilla.org/releases/mozilla-beta/rev/1a27e2f35d33

status-firefox66: affected → fixed

Ionuț Goldan [:igoldan]

Updated

•

6 years ago

Depends on: 1524482

Ryan VanderMeulen [:RyanVM]

Updated

•

6 years ago

status-firefox65: affected → wontfix

tracking-firefox66: --- → +

tracking-firefox67: --- → +

tracking-firefox-esr60: --- → 66+

Ryan VanderMeulen [:RyanVM]

Comment 10

•

6 years ago

Comment on attachment 9039751 [details] [diff] [review] bug1523558.patch Spectre mitigation improvement. Approved for 60.6esr.

Attachment #9039751 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 11

•

6 years ago

bugherder uplift

https://hg.mozilla.org/releases/mozilla-esr60/rev/f1b5873c848a

status-firefox-esr60: affected → fixed

You need to log in before you can comment on or make changes to this bug.