Closed Bug 1640748 Opened 5 years ago Closed 5 years ago

Warp: Fix LoadArgumentSlot

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla78
Tracking Flags:
Tracking Status
firefox78 --- fixed

People

(Reporter: evilpie, Assigned: evilpie)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1640748 - Warp: Fix LoadArgumentSlot transpilation. r?jandem
(deleted), text/x-phabricator-request
Details

The current logic for LoadArgumentSlot has at least two bugs:

  • emitLoadArgumentDynamicSlot calls emitLoadArgumentFixedSlot with the current number of arguments added to slotIndex. This can easily overflow because the slotIndex is only an uint8_t.
  • emitLoadArgumentFixedSlot doesn't handle more than one argument correctly. The arguments are actually in reverse order. The last argument has the lowest slotIndex, usually zero (unless constructing).
Summary: Warp : Fix LoadArgumentSlot → Warp: Fix LoadArgumentSlot
Blocks: CacheIRTranspiler
No longer blocks: WarpBuilder
Pushed by evilpies@gmail.com: https://hg.mozilla.org/integration/autoland/rev/67947af6e79b Warp: Fix LoadArgumentSlot transpilation. r=jandem

https://hg.mozilla.org/mozilla-central/rev/67947af6e79b

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox78: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla78
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: