Closed Bug 915979 Opened 11 years ago Closed 11 years ago

Float32Array read/write incorrect value.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 915495

People

(Reporter: mbx, Unassigned)

References

Details

Attachments

(1 file)

bug.html
778 bytes, text/html
Details
Attached file bug.html
Reading back values that were just written into a Float32Array can be significantly different. This seems to be a regression, as it only happens in Nightly. Open attached file in Nightly and wait a few seconds. I was only able to reproduce it by using requestAnnimationFrame with float values from performance.now(). Marking it as a security bug for now since it may be a memory corruption problem.
Fallout from bug 899139?
Blocks: 899139
So this is exciting. The first alert I got shows 6726.487684000001 and -1933449455730688.0 for the "wanted to write" and "wrote" numbers, respectively. In hex, we have: Wanted: 0x40ba467cd8dbcec9 Got: 0xc31b79d920000000 Wanted << 29: 0x9b1b79d920000000 Then I let it run some more and got 574592.380936 and -138.04339599609375. In hex: Wanted: 0x41218900c30a0b1c Got: 0xc061416380000000 Wanted << 29: 0x1861416380000000 Looks pretty suspicious....
And another one: 626259.404266 vs -2113536256.0: Wanted: 0x41231ca6cefbf402 Got: 0xc1df7e8040000000 Wanted << 29: 0xd9df7e8040000000
So if we land in StoreToTypedFloatArray and the type is TYPE_FLOAT32 and LIRGenerator::allowFloat32Optimizations() we will try to directly store the float from the register, with what looks likely to be movss. Is that a sane thing to be doing?
And if I modify the testcase a bit to detect cases when the "got" is positive but still wrong, like so: if (Math.abs(this.array[this.index] - value)/value > 1e-5) { I get 5865.55088 vs 4.678468951202332e-35: Wanted: 0x40b6e98d0678c005 Got: 0x38cf1800a0000000 Wanted << 29: 0xa0cf1800a0000000
This is a duplicate of bug 915495. The float32 patch basically landed around the same time as my typed array IC patch, without knowledge of each other. As a result, typed array ICs aren't aware of the float32 optimizations at all and all kind of bad things happen at the moment. Can I mark it as duplicate, even though this is s-s and the other one isn't?
Flags: in-testsuite?
Given this is not memory corruption, I don't think this should be s-s.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Assignee: general → nobody
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: