Arm64 emulation of tbl instruction is broken
Categories
(Core :: JavaScript Engine: JIT, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox83 | --- | fixed |
People
(Reporter: lth, Assigned: lth)
References
Details
Attachments
(1 file, 1 obsolete file)
The emulation of tbl (Logic-vixl.cpp 2250 et seq) performs tbl in terms of tbx by first moving zero to the destination register and then invoking tbx. This is incorrect when the table register is the same as the destination register. The ARM ARM is clear that the destination is updated only when the instruction is complete; a temporary result is used to hold the bits as they are being computed, and this result is initialized to zero for tbl and to the destination register for tbx.
Affects only the WebAssembly SIMD work, no JS implact.
|
Assignee | |
Comment 1•4 years ago
|
||
The emulation must use a temporary register to avoid clobbering the output register early.
|
|
Assignee | |
Comment 2•4 years ago
|
||
Also fixed upstream, in a more principled manner: https://git.linaro.org/arm/vixl.git/tree/src/aarch64/logic-aarch64.cc#n3227
|
||
Updated•4 years ago
|
|
|
Assignee | |
Comment 3•4 years ago
|
||
The emulation must use a temporary register to avoid clobbering the
output register early.
|
|
||
Updated•4 years ago
|
Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/42ffc70267ab Fix emulation of tbl instruction. r=jseward
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
Description
•