fix 64-bit writes to 32-bit struct field in HiPE runtime
Mon Sep 27 19:21:51 CEST 2010
In the HiPE part of the runtime system's Process struct
there is a state field which is 32 bits wide even on 64-bit
There is a single instruction in the HiPE AMD64 runtime
where this field is incorrectly written with a 64-bit store.
Luckily the extraneous 32 bits are written as zeros to 4
bytes of tail-padding at the end of the struct, so nothing
should have broken because of this.
The same bug exists in the HiPE PowerPC64 runtime (in
development), but on the big-endian PPC64 the effect is
to write the actual value to the tail-padding and zero
to the struct field, which potentially breaks TRAPs from
BIFs (depending on BIF arities and how many parameter
registers the runtime has been configured to use).
Thanks to Paul Guyot for noticing the oversized write on AMD64.
Fixed as follows:
--- otp_src_R14B/erts/emulator/hipe/hipe_amd64_glue.S.~1~ 2010-09-13 19:00:22.000000000 +0200
+++ otp_src_R14B/erts/emulator/hipe/hipe_amd64_glue.S 2010-09-27 18:28:12.000000000 +0200
@@ -402,7 +402,7 @@ nbif_3_simple_exception:
* - the native heap/stack/reds registers are saved in P
- movq %rax, P_NARITY(P)
+ movl %eax, P_NARITY(P) # Note: narity is a 32-bit field
movl $HIPE_MODE_SWITCH_RES_TRAP, %eax
--- otp_src_R14B/erts/emulator/hipe/hipe_ppc_glue.S.~1~ 2010-09-13 19:00:22.000000000 +0200
+++ otp_src_R14B/erts/emulator/hipe/hipe_ppc_glue.S 2010-09-27 18:28:12.000000000 +0200
@@ -541,7 +541,7 @@ CSYM(nbif_3_simple_exception):
li r3, HIPE_MODE_SWITCH_RES_TRAP
STORE NSP, P_NSP(P)
- STORE r4, P_NARITY(P)
+ stw r4, P_NARITY(P) /* Note: narity is a 32-bit field */
STORE TEMP_LR, P_NRA(P)
More information about the erlang-patches