Closed
Bug 620424
Opened 14 years ago
Closed 12 years ago
OP_callstatic's JIT and interpreter side effects are different
Categories
(Tamarin Graveyard :: Verifier, defect, P2)
Tamarin Graveyard
Verifier
Tracking
(Not tracked)
RESOLVED
FIXED
Q2 12 - Cyril
People
(Reporter: edwsmith, Assigned: wmaddox)
References
Details
Attachments
(2 files)
726 bytes,
text/plain
|
Details | |
913 bytes,
patch
|
edwsmith
:
review+
|
Details | Diff | Splinter Review |
In the verifier, which drives the JIT through the CodeWriter interface, we have: Verifier case OP_callstatic: emitCoerceArgs(m, argc) // coerce each arg -- can throw. emitCheckNull(sp-argc) // check that the object isn't null. can throw. coder->writeOp2() // does the call. Interpreter case OP_callstatic: env->nullcheck(sp[-i2]) // check the object isn't null f->coerceEnter(...) // coerce args, then call The other call operators first check for null before resolving the call target, then coercing the args. Therefore in this case, the bug is that the verifier calls emitCoerceArgs() and emitCheckNull() out of order. A test case that demonstrates the problem would have to pass in a legally- typed, but null, object, as well as illegally-typed arguments. The JIT would fail by throwing a coerce error before throwing a null error.
Reporter | ||
Updated•14 years ago
|
Blocks: interp_jit_semantics
Assignee | ||
Updated•14 years ago
|
Assignee: nobody → wmaddox
Assignee | ||
Comment 1•14 years ago
|
||
It appears that ASC seldom generates 'callstatic' instructions. Only two of our acceptance tests contain such an instruction: test/acceptance/regress/bug_498979.as test/acceptance/abcasm/nullCheck/CallStatic.abs The second of these is hand-coded abcasm. The first can be illustrated by the following similar example: var _any:*; function set any(val:*) { _any = val; } any = 'hello world'; // setter 'any' is called with 'callstatic' function foo(val:*) { _any = val; } foo('hello world'); // function 'foo' is called with 'callproperty' I asked Jeff Dyer about this, and he said the following: "It appears that the only way to emit OP_callstatic is by invoking a global getter or setter. If you have to invoke it on a null reference, then you'll need to use abcasm." I conclude that it is unlikely that this issue has ever been observed in the field, and, in any event, may simply be fixed without backward compatibility concerns, e.g., versioning.
Reporter | ||
Comment 2•14 years ago
|
||
Agreed, if we can affirm that callstatic is rare-to-nonexistant in the wild, I'm for a non-versioned fix. and of course a test case either way.
Assignee | ||
Comment 3•14 years ago
|
||
I hacked tr-spicy to print a diagnostic when the verifier sees 'callstatic'. Using my local Brightspot snapshot and -Dverifyonly, there appear to be no occurrences at all, other than what may be hiding in SWFs that fail to verify. (This is not uncommon, due to external references that fail to resolve.) My snapshot was taken a few months ago, when the 2/2010 dataset was the most current. I notice we've got some new data, and some reorganization of the Brightspot directories. I'll give the experiment another try when I update my snapshot.
Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → flash10.x-Serrano
Updated•13 years ago
|
Flags: flashplayer-injection-
Flags: flashplayer-bug-
Target Milestone: Q3 11 - Serrano → Q1 12 - Brannan
Flags: flashplayer-qrb+
Priority: -- → P2
Target Milestone: Q1 12 - Brannan → Q2 12 - Cyril
Assignee | ||
Comment 4•12 years ago
|
||
This is an 'abcasm' test. I believe that this issue cannot be reproduced in AS3 code compiled with ASC, as it would be necessary for the global object to be null, if Jeff's claim is correct.
Assignee | ||
Comment 5•12 years ago
|
||
Attachment #601498 -
Flags: review?(edwsmith)
Reporter | ||
Updated•12 years ago
|
Attachment #601498 -
Flags: review?(edwsmith) → review+
Comment 6•12 years ago
|
||
changeset: 7237:f6f3c2a7ca12 user: William Maddox <wmaddox@adobe.com> summary: Bug 620424: Order side-effects in OP_callstatic consistently between JIT and interpreter (r=edwsmith) http://hg.mozilla.org/tamarin-redux/rev/f6f3c2a7ca12
Assignee | ||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•