Closed Bug 915979 Opened 11 years ago Closed 11 years ago

Float32Array read/write incorrect value.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 915495

People

(Reporter: mbx, Unassigned)

References

Details

Attachments

(1 file)

bug.html
778 bytes, text/html
Details
Attached file bug.html 
Reading back values that were just written into a Float32Array can be significantly different. This seems to be a regression, as it only happens in Nightly. 

Open attached file in Nightly and wait a few seconds. I was only able to reproduce it by using requestAnnimationFrame with float values from performance.now().

Marking it as a security bug for now since it may be a memory corruption problem.
Fallout from bug 899139?
Blocks: 899139
So this is exciting.  The first alert I got shows 6726.487684000001 and -1933449455730688.0 for the "wanted to write" and "wrote" numbers, respectively.  In hex, we have:

Wanted:       0x40ba467cd8dbcec9
Got:          0xc31b79d920000000
Wanted << 29: 0x9b1b79d920000000

Then I let it run some more and got 574592.380936 and -138.04339599609375.  In hex:

Wanted:       0x41218900c30a0b1c
Got:          0xc061416380000000
Wanted << 29: 0x1861416380000000

Looks pretty suspicious....
And another one: 626259.404266 vs -2113536256.0:

Wanted:       0x41231ca6cefbf402
Got:          0xc1df7e8040000000
Wanted << 29: 0xd9df7e8040000000
So if we land in StoreToTypedFloatArray and the type is TYPE_FLOAT32 and LIRGenerator::allowFloat32Optimizations() we will try to directly store the float from the register, with what looks likely to be movss.  Is that a sane thing to be doing?
And if I modify the testcase a bit to detect cases when the "got" is positive but still wrong, like so:

      if (Math.abs(this.array[this.index] - value)/value > 1e-5) {

I get 5865.55088 vs 4.678468951202332e-35:

Wanted:       0x40b6e98d0678c005
Got:          0x38cf1800a0000000
Wanted << 29: 0xa0cf1800a0000000
This is a duplicate of bug 915495. The float32 patch basically landed around the same time as my typed array IC patch, without knowledge of each other. As a result, typed array ICs aren't aware of the float32 optimizations at all and all kind of bad things happen at the moment.

Can I mark it as duplicate, even though this is s-s and the other one isn't?
Flags: in-testsuite?
Given this is not memory corruption, I don't think this should be s-s.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: