Closed
Bug 520718
Opened 15 years ago
Closed 14 years ago
nanojit: i386 backend accesses the stack below SP
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 590553
People
(Reporter: n.nethercote, Unassigned)
Details
Running lirasm --random I see lots of these: ==28514== Invalid read of size 8 ==28514== at 0x4CD6EB3: ??? ==28514== by 0x805A541: main (lirasm.cpp:1553) ==28514== Address 0xfeb767b8 is just below the stack ptr. To suppress, use: --workaround-gcc296-bugs=yes AIUI Valgrind complains about this because the x86 ABI doesn't guarantee that addresses below SP (in the sense "addresses lower than SP") are accessible. Eg. the kernel could trash them at any time. The code responsible is in asm_u2f(): const int disp = -8; const Register base = SP; Register gr = findRegFor(ins->oprnd1(), GpRegs); NanoAssert(rr == FST0); FILDQ(disp, base); STi(base, disp+4, 0); // high 32 bits = 0 ST(base, disp, gr); // low 32 bits = unsigned value The generated code looks like this: u2f13 = u2f ld5 mov -8(esp),ebx mov -4(esp),0 fildq -8(esp) AFAICT the eight bytes just below ESP are being used as a very short-term scratch space. This also avoids using a register for the base pointer. It seems unlikely to cause any problems in practice but is probably worth avoiding (by allocating memory on the stack with findMemFor()) just to keep things Valgrind-clean.
Comment 1•15 years ago
|
||
My ESP-relative addressing patch fixes this as a side effect. I will try to get back to that this week.
Comment 2•15 years ago
|
||
(In reply to comment #0) > u2f13 = u2f ld5 > mov -8(esp),ebx > mov -4(esp),0 > fildq -8(esp) > > It seems unlikely to cause any problems in practice Random unreproducible crashes/failures, especially in cases where many signals are delivered, eg, in SIGPROF-based profiling setups.
Reporter | ||
Comment 3•15 years ago
|
||
I still see this, with 'valgrind --smc-check=all lirasm --random 10000'.
Comment 4•15 years ago
|
||
The least-worst safe replacement sequence I can think of is pushl $0 pushl %ebx fildq 0(%esp) addl $8,%esp Additional comment re both sequences: this kind of thing looks like it's asking for trouble w.r.t. store-forwarding stalls. Indeed, the "Intel 64 and IA-32 Architectures Optimization Reference Manual" version dated Nov 2007, lists this as Example 3-33 on page 3-54: mov mem, eax mov mem+4, ebx fld mem ; load qword at address "MEM", stalls
Comment 5•15 years ago
|
||
fld can take a memory address as argument, right? Why don't we use that form? Just put the constant into memory and load it. That should avoid the stall.
Comment 6•15 years ago
|
||
(In reply to comment #5) > Just put the constant into memory and load it. That should avoid the stall. I don't understand. The sequence appears to be intended to take the value in %ebx, convert it unsignedly into a 80-bit float, and park it in %st0. I don't see how to do that without doing a store of %ebx, at least, shortly before the fildq.
Reporter | ||
Comment 7•15 years ago
|
||
(In reply to comment #4) > Additional comment re both sequences: this kind of thing looks > like it's asking for trouble w.r.t. store-forwarding stalls. This code only occurs on non-SSE2 machines so avoiding stalls doesn't seem that important... worth doing if it's easy, but otherwise not.
Reporter | ||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•