Closed Bug 609970 Opened 9 years ago Closed 9 years ago

JM: Register syncing bug with heavy pressure, pinned registers

Categories

(Core :: JavaScript Engine, defect)

All
Linux
defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- beta8+

People

(Reporter: dvander, Assigned: dvander)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

This bug was exposed by a setelem test case with bug592976. Under heavy register pressure, x86/ARM use the "immutable sync" algorithm. This accidentally sees pinned registers as free, and clobbers them.

For example:
  slot 0 is pinned in EAX, and unsynced.
  slot 1 is in memory.
  slot 2 is a copy of slot 1, and unsynced.

Working backwards, we start syncing from slot 2. We need to allocate a register for the memory-to-memory move (slot 1 -> slot 2). It's okay to pick EAX, but only if we evict it first. Since it's pinned, we don't evict it, and simply clobber it.

When we go to sync slot 0, however, we *do* notice that it's pinned, and assume it hasn't been clobbered. But it is, and we write garbage to the stack.
Attached patch fixSplinter Review
Attachment #488537 - Flags: review?(dmandelin)
Attachment #488537 - Flags: review?(dmandelin) → review+
blocking2.0: --- → beta8+
http://hg.mozilla.org/mozilla-central/rev/636b1e5a994f
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.