Closed Bug 813671 Opened 13 years ago Closed 13 years ago

IonMonkey: ModI can clobber input register

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: bhackett1024, Assigned: bhackett1024)

References

Details

Attachments

(1 file, 1 obsolete file)

fix careless bug
2.56 KB, patch
jandem
: review+
Details | Diff | Splinter Review
On x86/x64, ModI overwrites both eax and edx, but only the latter is marked as an output. The former is a fixed input, and if that input is used anywhere in the instruction's snapshot then the interpreter stack reconstructed on a bailout may be incorrect. This isn't a problem for LSRA as it treats the fixed input like a mutable temporary, but this is really a detail of that allocator rather than a general property which should hold of all allocators.
Attached patch patch (obsolete) — Splinter Review
Fix. This affects the backtracking allocator (bug 814966) as well.
Assignee: general → bhackett1024
Attachment #691567 - Flags: review?(jdemooij)
Attached patch fix careless bugSplinter Review
Oops
Attachment #691567 - Attachment is obsolete: true
Attachment #691567 - Flags: review?(jdemooij)
Attachment #691655 - Flags: review?(jdemooij)
Blocks: 814966
Attachment #691655 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/946bc83d50df
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: