Closed Bug 1944797 Opened 1 year ago Closed 1 year ago

LIRGeneratorShared::use allows MIRType::Int64 when INT64_PIECES is 2

Tracking

()

Status:

RESOLVED FIXED

Milestone:

137 Branch

Tracking Flags:

Tracking

Status

firefox137

---

fixed

People

(Reporter: anba, Assigned: anba)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Bug 1944797 - Part 1: Add LIRGeneratorShared::useLowWord to allocate register for int64 low-word. r=jandem! 1 year ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review
Bug 1944797 - Part 2: Align WasmStore for ARM32 with x86 code. r=jandem! 1 year ago André Bargull [:anba] 48 bytes, text/x-phabricator-request		Details \| Review

André Bargull [:anba]

Assignee

Description

•

1 year ago

https://searchfox.org/mozilla-central/rev/dd8b64a6198ff599a5eb2ca096845ebd6997457f/js/src/jit/shared/Lowering-shared-inl.h#25-32:

  // It is illegal to call use() on an instruction with two defs.
#if BOX_PIECES > 1
  MOZ_ASSERT(mir->type() != MIRType::Value);
#endif
#if INT64_PIECES > 1
  MOZ_ASSERT(mir->type() != MIRType::Int64);
#endif

This code incorrectly allows MIRType::Int64 when INT64_PIECES is 2. (The BOX_PIECES > 1 check works correctly, though.)

Hint: Check how INT64_PIECES and BOX_PIECES are defined.

André Bargull [:anba]

Assignee

Comment 1

•

1 year ago

Attached file Bug 1944797 - Part 1: Add LIRGeneratorShared::useLowWord to allocate register for int64 low-word. r=jandem! — Details

LIRGeneratorShared::use allowed to allocate a register for the low-word of an
int64 value, because the INT64_PIECES > 1 assertion didn't propery work. (The
assertion was wrapped with #if INT64_PIECES > 1, but INT64_PIECES is a C++
constant and not a macro processor #define, so #if INT64_PIECES > 1 always
evaluated to false.)

Add LIRGeneratorShared::useLowWord for 32-bit targets to provide the correct
way to allocate a register for an int64 low-word. And then update the three places
which only worked due to the incorrect assertion:

lowerForShiftInt64 on x86 and arm32.
visitWasmWrapU32Index when JS_64BIT is false.
visitWasmStore for x86 when the input is an int64 value.

André Bargull [:anba]

Assignee

Comment 2

•

1 year ago

Attached file Bug 1944797 - Part 2: Align WasmStore for ARM32 with x86 code. r=jandem! — Details

Align with the x86 code to only use LWasmStoreI64 the input is an Int64 value.

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

1 year ago

Blocks: sm-jits

Severity: -- → S3

Priority: -- → P3

Pulsebot

Comment 3

•

1 year ago

Pushed by andre.bargull@gmail.com: https://hg.mozilla.org/integration/autoland/rev/12ba7ff7a874 Part 1: Add LIRGeneratorShared::useLowWord to allocate register for int64 low-word. r=jandem https://hg.mozilla.org/integration/autoland/rev/636a1a175b01 Part 2: Align WasmStore for ARM32 with x86 code. r=jandem

Serban Stanca [:SerbanS]

Comment 4

•

1 year ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/12ba7ff7a874
https://hg.mozilla.org/mozilla-central/rev/636a1a175b01

Status: ASSIGNED → RESOLVED

Closed: 1 year ago

status-firefox137: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 137 Branch

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Updated

•

1 year ago

Regressions: 1947697

You need to log in before you can comment on or make changes to this bug.

Bugzilla

LIRGeneratorShared::use allows MIRType::Int64 when INT64_PIECES is 2

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Tracking

()

People

(Reporter: anba, Assigned: anba)

References

(Blocks 1 open bug)

Details

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Updated

Attachment

General

Description

File Name

Content Type