Closed
Bug 524122
Opened 15 years ago
Closed 14 years ago
Incorrect optimization for integers in numeric sort
Categories
(Tamarin Graveyard :: Virtual Machine, defect, P3)
Tamarin Graveyard
Virtual Machine
Tracking
(Not tracked)
RESOLVED
FIXED
Q3 11 - Serrano
People
(Reporter: lhansen, Assigned: lhansen)
References
Details
(Whiteboard: has-patch, WE:3020715)
Attachments
(2 files, 6 obsolete files)
|
9.44 KB,
patch
|
stejohns
:
review+
|
Details | Diff | Splinter Review |
|
1.97 KB,
patch
|
stejohns
:
review+
|
Details | Diff | Splinter Review |
The case in ArraySort::NumericCompare that compares integers is vulnerable to overflow; overflowing results frequently have the wrong sign, thus breaking the sort.
|
Assignee | |
Comment 1•15 years ago
|
||
The test case must be compiled with ASC. Attaching pre-compiled ABC too.
|
|
Assignee | |
Comment 2•15 years ago
|
||
|
|
Assignee | |
Comment 3•15 years ago
|
||
Patch will require versioning.
Attachment #408017 -
Flags: review?(stejohns)
|
|
Assignee | |
Updated•15 years ago
|
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
Whiteboard: Has patch
|
||
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Comment 4•15 years ago
|
||
Comment on attachment 408017 [details] [diff] [review]
Obvious fix
Heh, nope, actually, int atoms can be > 32 bits on 64-bit builds... see https://bugzilla.mozilla.org/show_bug.cgi?id=521353 for more info.
but just return the int32 casts (doing an intptr_t subtraction) and I think that will be right.
Attachment #408017 -
Flags: review?(stejohns) → review-
|
|
Assignee | |
Comment 5•15 years ago
|
||
(In reply to comment #4)
> (From update of attachment 408017 [details] [diff] [review])
> Heh, nope, actually, int atoms can be > 32 bits on 64-bit builds... see
> https://bugzilla.mozilla.org/show_bug.cgi?id=521353 for more info.
>
> but just return the int32 casts (doing an intptr_t subtraction) and I think
> that will be right.
Presumably you mean s/return/remove/ .... brain fart on my part. Will attach a new patch.
|
|
Assignee | |
Comment 6•15 years ago
|
||
Attachment #408017 -
Attachment is obsolete: true
|
|
||
Updated•15 years ago
|
Attachment #408379 -
Flags: review+
|
|
Assignee | |
Updated•15 years ago
|
Whiteboard: Has patch → Has patch; versioning
|
|
Assignee | |
Updated•15 years ago
|
Whiteboard: Has patch; versioning → Has patch
|
||
Updated•15 years ago
|
Target Milestone: flash10.1 → Future
|
|
Assignee | |
Updated•15 years ago
|
Assignee: lhansen → nobody
Priority: P3 → --
|
||
Comment 7•15 years ago
|
||
This is a mass change. Every comment has "assigned-to-new" in it.
I didn't look through the bugs, so I'm sorry if I change a bug which shouldn't be changed. But I guess these bugs are just bugs that were once assigned and people forgot to change the Status back when unassigning.
Status: ASSIGNED → NEW
|
||
Comment 8•14 years ago
|
||
Any reason this hasn't landed?
|
|
Assignee | |
Comment 9•14 years ago
|
||
(In reply to comment #8)
> Any reason this hasn't landed?
It needs to be properly versioned and the patch predates all that. Me fix.
Assignee: nobody → lhansen
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 10•14 years ago
|
||
Same fix but revised with versioning. Note the test is in ecma3/Array, even though it uses 'import' and passes a non-Ecma argument to Array.prototype.sort(). Opinions on that choice would be welcomed.
Attachment #408013 -
Attachment is obsolete: true
Attachment #408016 -
Attachment is obsolete: true
Attachment #408379 -
Attachment is obsolete: true
Attachment #469419 -
Flags: review?(stejohns)
|
|
Assignee | |
Updated•14 years ago
|
Whiteboard: Has patch → has-patch
|
||
Comment 11•14 years ago
|
||
my opinion is such a test only works on as3 and thus belongs under as3/Array
|
|
||
Comment 12•14 years ago
|
||
Comment on attachment 469419 [details] [diff] [review]
Patch, with versioning and versioned test cases
Looks fine, with one caveat: I'd like to see a performance test to ensure adding the check hasn't caused a perf regression due to the test-in-the-inner-loop this introduces. (Simple enough to fix if so, just add a new NumericCompare proc and select it based on the bugCompatibility flag)
Attachment #469419 -
Flags: review?(stejohns) → review+
|
|
Assignee | |
Comment 13•14 years ago
|
||
(Thinking out loud.)
A reasonable test would be to sort integer arrays of three lengths with Array.NUMERIC: short (say, five elements), medium (50), and long (5000).
The baseline cannot be the original code because it gets the result wrong so it may not perform the correct number of operations.
Instead, I will have to compare the code I propose to land and the code that has a separate NumericCompare proc, and select the second if it is faster.
|
|
Assignee | |
Comment 14•14 years ago
|
||
Results suggest that it is significantly faster across the board to have two functions, one correct and one compatible. The reason is easy to understand: AvmCore::currentBugCompatibility mucks around to get the code context. I had forgotten that, I thought of it as a simple inlined getter.
I'll refine the patch and offer a new patch for review (with the test cases rewritten to the new regime and moved to their appropriate places).
|
|
Assignee | |
Updated•14 years ago
|
Attachment #469419 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 15•14 years ago
|
||
Attachment #471082 -
Flags: review?(stejohns)
|
|
||
Comment 16•14 years ago
|
||
(In reply to comment #14)
> AvmCore::currentBugCompatibility mucks around to get the code context. I had
> forgotten that, I thought of it as a simple inlined getter.
Yeah, the guidelines for using it are that it's cheap, but not free: don't call it in the inner loop.
|
|
||
Updated•14 years ago
|
Attachment #471082 -
Flags: review?(stejohns) → review+
|
|
Assignee | |
Comment 17•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 18•14 years ago
|
||
This was pushed as 5155:f4a0efbffbe7, but I'd like a post-hoc review just to be on the safe side. The logic is that since the input values are atoms then their intptr_t representations carry values that are in the int32_t range, thus converting from intptr_t to int is always lossless (int is at least as large as int32_t).
The use of 'int' is in the existing API, which we should clean up at some point.
Attachment #471422 -
Flags: review?(stejohns)
|
|
Assignee | |
Comment 19•14 years ago
|
||
Reopening because the expected result for the old incorrect code is different on 32-bit and 64-bit systems - the test case probably needs refining. The issue is that atoms carry integer values outside the 32-bit range. As a consequence the int cast I just inserted in the compile fix may be too naive a fix.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 20•14 years ago
|
||
Updates test case to deal with different incorrect results on 32-bit and 64-bit systems.
Updates the new code to avoid a cast from intptr_t to int on 64-bit systems.
Was pushed as tamarin-redux changeset: 5156:5ecff2fedcb2, review still required.
Attachment #471422 -
Attachment is obsolete: true
Attachment #471439 -
Flags: review?(stejohns)
Attachment #471422 -
Flags: review?(stejohns)
|
|
Assignee | |
Updated•14 years ago
|
Status: REOPENED → ASSIGNED
|
|
Assignee | |
Updated•14 years ago
|
Priority: -- → P3
Target Milestone: Future → flash10.2
|
|
||
Comment 21•14 years ago
|
||
Comment on attachment 471439 [details] [diff] [review]
Test fix, better compile fix
At first I was concerned that the difference in return result could cause subtle issues with user code, but the values never percolate out to AS3, so I think we're safe.
Attachment #471439 -
Flags: review?(stejohns) → review+
|
|
Assignee | |
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
Flags: flashplayer-bug+
|
||
Updated•13 years ago
|
Whiteboard: has-patch → has-patch, WE:3020715
You need to log in
before you can comment on or make changes to this bug.
Description
•