IonMonkey: scratch register gets overwritten on ARM

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: mjrosenb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
If you attempt to store an immediate into a large offset from a base register, we attempt to use the scratch register to hold both the calculated offset, as well as the immediate.  This currently results in a bogus value being written into the correct location, rather than a sane value being written into a bogus location.
(Reporter)

Comment 1

5 years ago
Created attachment 602875 [details] [diff] [review]
/home/mrosenberg/patches/scratchOverwrite-r0.patch

The inevitable has happened, and I'm giving in and taking a second scratch register for ARM.  the previously unused link register will become the second scratch register.  Previously, it was only used in one spot, but I'd missed a whole load of cases where two different values need to be in a scratch register at the same time
Attachment #602875 - Flags: review?(dvander)
Attachment #602875 - Flags: review?(dvander) → review+
(Reporter)

Comment 2

5 years ago
landed: http://hg.mozilla.org/projects/ionmonkey/rev/8979dfc0ddf2
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.