Closed Bug 1914979 Opened 9 months ago Closed 7 months ago

Definition of non-volatile SIMD registers for ARM64 is wrong

Categories

(Core :: JavaScript: WebAssembly, task, P2)

Product:
Core
Component:
JavaScript: WebAssembly
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
133 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- wontfix
firefox-esr128 --- wontfix
firefox131 --- wontfix
firefox132 --- wontfix
firefox133 --- fixed

People

(Reporter: jandem, Assigned: jandem)

References

Details

(Keywords: sec-other, Whiteboard: [adv-main133-])

Attachments

(1 file)

Bug 1914979 - Don't mark v8-v15 arm64 SIMD registers as non-volatile. r?yury!
48 bytes, text/x-phabricator-request
Details | Review

See bug 1897792 comment 50. We currently mark the v8-v15 registers as non-volatile (preserved by calls) on ARM64, but this only applies to the bottom 64 bits so this is wrong for SIMD registers.

This might affect CodeGenerator::visitOutOfLineWasmCallPostWriteBarrierImmediate where we call saveLiveVolatile to only save the volatile registers.

This isn't security sensitive but this should stay hidden until bug 1897792 is fixed.

Duplicate of this bug: 1922345

anba wrote a test for this bug. It's in the patch in bug 1919803.

André confirmed that the obvious fix for NonVolatileSingleMask fixes his test case so NI myself to post that patch next week...

Flags: needinfo?(jdemooij)

Only the bottom 64 bits will be preserved by C++ code so we shouldn't treat the SIMD registers
as non-volatile.

The patch in bug 1919803 has a Wasm test for this.

Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #9431022 - Attachment description: Bug 1914979 - Don't mark v8-v15 arm64 registers as volatile. r?yury! → Bug 1914979 - Don't mark v8-v15 arm64 SIMD registers as non-volatile. r?yury!
Flags: needinfo?(jdemooij)
Pushed by jdemooij@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/db06e8ac3482 Don't mark v8-v15 arm64 SIMD registers as non-volatile. r=yury
Severity: -- → N/A
Priority: -- → P2

https://hg.mozilla.org/mozilla-central/rev/db06e8ac3482

Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
status-firefox133: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 133 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main133-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: