Closed
Bug 738124
Opened 12 years ago
Closed 12 years ago
IonMonkey: OSI breaks if a pool lands in the wrong place
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: mjrosenb, Unassigned)
Details
Attachments
(1 file)
12.14 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
if we have the sequence 1) blx func 2) add sp, sp, 8 3) b pool_end: .data pool pool_end: 4) more code OSI correctly attempts to choose (3) to be the instruction that will later be replaced with a call, however, we record one higher(4), since it is going to be the return address. With this recorded, the displacement of (4) is correctly updated with the length of the pool, then we attempt to place a call with (4) as its return address, resulting in a call that can never be executed. By recording (3), then incrementing to get the return address, we patch the call correctly.
Attachment #608205 -
Flags: review?(dvander)
Comment on attachment 608205 [details] [diff] [review] Record the call site rather than the return site in OSI Review of attachment 608205 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/shared/CodeGenerator-shared.cpp @@ +343,5 @@ > JS_ASSERT(masm.currentOffset() - lastOsiPointOffset_ >= Assembler::patchWrite_NearCallSize()); > lastOsiPointOffset_ = masm.currentOffset(); > > + *callPointOffset = masm.currentOffset(); > + static int osiCount = 0; ^- Remember to take this out before checking in.
Attachment #608205 -
Flags: review?(dvander) → review+
Reporter | ||
Comment 2•12 years ago
|
||
landed: http://hg.mozilla.org/projects/ionmonkey/rev/01dfaa84975b
Reporter | ||
Comment 3•12 years ago
|
||
whoops.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•