fix 64-bit writes to 32-bit struct field in HiPE runtime

Mikael Pettersson <>
Mon Sep 27 19:21:51 CEST 2010


In the HiPE part of the runtime system's Process struct
there is a state field which is 32 bits wide even on 64-bit
machines.

There is a single instruction in the HiPE AMD64 runtime
where this field is incorrectly written with a 64-bit store.
Luckily the extraneous 32 bits are written as zeros to 4
bytes of tail-padding at the end of the struct, so nothing
should have broken because of this.

The same bug exists in the HiPE PowerPC64 runtime (in
development), but on the big-endian PPC64 the effect is
to write the actual value to the tail-padding and zero
to the struct field, which potentially breaks TRAPs from
BIFs (depending on BIF arities and how many parameter
registers the runtime has been configured to use).

Thanks to Paul Guyot for noticing the oversized write on AMD64.

Fixed as follows:

--- otp_src_R14B/erts/emulator/hipe/hipe_amd64_glue.S.~1~	2010-09-13 19:00:22.000000000 +0200
+++ otp_src_R14B/erts/emulator/hipe/hipe_amd64_glue.S	2010-09-27 18:28:12.000000000 +0200
@@ -402,7 +402,7 @@ nbif_3_simple_exception:
 	 * - the native heap/stack/reds registers are saved in P
 	 */
 .handle_trap:
-	movq	%rax, P_NARITY(P)
+	movl	%eax, P_NARITY(P)	# Note: narity is a 32-bit field
 	movl	$HIPE_MODE_SWITCH_RES_TRAP, %eax
 	jmp	.nosave_exit
 
--- otp_src_R14B/erts/emulator/hipe/hipe_ppc_glue.S.~1~	2010-09-13 19:00:22.000000000 +0200
+++ otp_src_R14B/erts/emulator/hipe/hipe_ppc_glue.S	2010-09-27 18:28:12.000000000 +0200
@@ -541,7 +541,7 @@ CSYM(nbif_3_simple_exception):
 .handle_trap:
 	li	r3, HIPE_MODE_SWITCH_RES_TRAP
 	STORE	NSP, P_NSP(P)
-	STORE	r4, P_NARITY(P)
+	stw	r4, P_NARITY(P)	/* Note: narity is a 32-bit field */
 	STORE	TEMP_LR, P_NRA(P)
 	b	.nosave_exit
 


More information about the erlang-patches mailing list