Closed Bug 1554053 Opened 6 years ago Closed 6 years ago

Wasm via Cranelift: size of interrupt check comparison is incorrect

Categories

(Core :: JavaScript: WebAssembly, defect)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox69 --- fixed

People

(Reporter: jseward, Assigned: jseward)

References

Details

Attachments

(1 file)

Bug 1554053 - Wasm via Cranelift: size of interrupt check comparison is incorrect.
47 bytes, text/x-phabricator-request
Details | Review

Wasm-via-Cranelift generates code to do interrupt checks by doing a machine-word sized comparison. However, the compared-against value, TlsData::interrupt, is an Atomic<uint32_t, mozilla::Relaxed>, and so the comparison is incorrect on all 64 bit targets: it also compares the 4 bytes following TlsData::interrupt, which look to me as if they are an alignment hole (iow, junk).

This is obviously incorrect, and it's observably inconsistent with what the -via-Ion and -baseline routes do, which is to always generate a 32-bit comparison.

It also holds a potential danger of a store-forwarding stall (big read after small write), although, based on the struct layout and detailed reading of the Intel opt guide, I think it's probably harmless for the Intel Core architecture family.

This patch changes Wasm-via-CL to always use a 32-bit comparison for interrupt checks.

Wasm-via-Cranelift generates code to do interrupt checks by doing a
machine-word sized comparison. However, the compared-against value,
TlsData::interrupt, is an Atomic<uint32_t, mozilla::Relaxed>, and so the
comparison is incorrect on all 64 bit targets: it also compares the 4 bytes
following TlsData::interrupt, which look to me as if they are an alignment
hole (iow, junk).

This is obviously incorrect, and it's observably inconsistent with what the
-via-Ion and -baseline routes do, which is to always generate a 32-bit
comparison.

It also holds a potential danger of a store-forwarding stall (big read after
small write), although, based on the struct layout and detailed reading of the
Intel opt guide, I think it's probably harmless for the Intel Core
architecture family.

Pushed by jseward@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/c858f52192ad Wasm via Cranelift: size of interrupt check comparison is incorrect. r=bbouvier

https://hg.mozilla.org/mozilla-central/rev/c858f52192ad

Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Assignee: nobody → jseward
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: