Closed Bug 486669 Opened 17 years ago Closed 17 years ago

TraceMonkey: The ARM-specific _nSlot pointer should be reset along with _nIns.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
ARM
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jbramley, Assigned: jbramley)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files)

A patch that adds instrumentation to allow the bug to be triggered. Not to be commited to the repository!
1.36 KB, patch
Details | Diff | Splinter Review
Reset _nSlot when _nIns is reset on ARM.
4.43 KB, patch
vlad
: review+
edwsmith
: review+
Details | Diff | Splinter Review
In Assemler.cpp, _nIns is reset in a few places where error() indicates that something went wrong with the code generation. However, on the ARM platform, there is additional pointer — _nSlot — which is used to write data into the literal pool. However, much of the generated code relies on _nIns and _nSlot being within a certain range of one another, and in practice this means that they must remain on the same page. underrunProtect ensures that this happens, but when an error() occurs, _nIns is simply reset and _nSlot is not touched. This event will be rare, and indeed it does not occur in the js/tests tests or in trace-tests.js, but when it does happen it will cause data corruption or a crash of some kind. I have a fix for this but have not yet produced a tidy patch. Note that it is not easy to reproduce this problem without adding instrumentation to the code to force an error() to occur. As a result, it is not possible to write a JavaScript test in trace-tests.js to catch this. I will, however, upload a patch which can be used to trigger the bug.
NOTE: This patch isn't intended to be committed to the repository. The patch will add instrumentation to Assembler.cpp to allow the _nSlot bug to be triggered. It does this by forcing the error state to be set periodically. I can reliably reproduce this bug by running trace-tests.js with this patch applied and the JIT enabled.
Note that the patch also modifies the Nativei386 and NativeSparc code. The change is trivial, but I am not able to test the SPARC version. I have added two functions which Native*.cpp files must implement: recordStartingInstructionPointer and resetInstructionPointer. Note that you must apply my instrumentation patch (370859) and run trace-tests.js to actually test this, as described in my previous comment.
Attachment #370879 - Flags: review?(vladimir)
Attachment #370879 - Flags: review?(edwsmith)
Attachment #370879 - Flags: review?(edwsmith) → review+
Needs check-in on tracemonkey.
Status: NEW → ASSIGNED
Keywords: checkin-needed
http://hg.mozilla.org/tracemonkey/rev/f272a9e9dad6
Keywords: checkin-needed4xp
Whiteboard: fixed-in-tracemonkey
Keywords: 4xp
http://hg.mozilla.org/mozilla-central/rev/f272a9e9dad6
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: