Fix for potential bad tailcall code generation #1298

Merged
merged 1 commit into from Jul 29, 2015

Projects

None yet
@mmitche
Member
mmitche commented Jul 27, 2015

The JIT can potentially pass an incorrect parameter to a callee when optimizing a tail call. While updating a GT_LCL* node with lcl var num of temp passed to the tail call, we also need to change its opererand to GT_LCL_VAR.

Fixes #1296

@masonwheeler

Nice work tracking this down! :)

@akoeplinger
Member

Seems this is the same as in #1289 from TFS that was later rolled back?

dotnet-bot@838b043
dotnet-bot@0aef784

@masonwheeler

Yeah, looks like it. Why did it get rolled back?

@mmitche
Member
mmitche commented Jul 27, 2015

@masonwheeler Not quite sure, but here it is again :)

@hmemcpy
hmemcpy commented Jul 27, 2015

Maybe we could ask @sivarv? :)

@mmdriley

Should we include the regression test here or in a followup PR?

@mmitche
Member
mmitche commented Jul 28, 2015

@mmdriley I've managed to narrow down a regression test, I'll have that included in the merge tomorrow morning :)

@danielgindi

Wow you guys still haven't figured out why the bug is there, and why the fix was rolled back previously...?
This is really worrying.

@forki
forki commented Jul 28, 2015

@danielgindi it looks like @sivarv wanted to fix Microsoft/visualfsharp#536 (comment), but it wasn't the correct fix for that so I assume he rolled it back.

@danielgindi

@forki Thanks for your response :-)

Btw, I love it that Microsoft has moved to Git!

@PeterMurdoch

Thanks!

@wickedsheep

I was just thinking, how come this didn't show up in the tests? It seems like this would blow up everywhere.

@danielgindi

Nope. This blows up in production environment only, and only where there are function call which are the last statement in a function, and only when the optimizer decides to...

@wickedsheep

This would imply the tests are either not run in "production environment" (meaning "Release" mode with "Optimize code" enabled) or there is no such test that would trigger the tail call opt.

@Rutix
Rutix commented Jul 28, 2015

Or this case is such an edge case that one of the test just doesn't trigger it. They probably have added a test case now to their internal tests that hits this edge case. (Atleast I hope so ;))

@mmitche mmitche Fix for potential bad tailcall code generation
The JIT can potentially pass an incorrect parameter to a callee when optimizing a tail call.  While updating a GT_LCL* node with lcl var num of temp passed to the tail call, we also need to change its opererand to GT_LCL_VAR.
99dc0f5
@mmitche
Member
mmitche commented Jul 28, 2015

Hey all, sorry for the delay in response. I have added the test case along with the fix.

The reason that the original fix was backed was for a few reasons:

  1. We wanted to check the fix directly into github rather than having it go across the mirror for visibility reasons
  2. We wanted to evaluate the fix further to see what kind of security impact it might have.

@richlander has posted a nice blog about the issue over at the MSDN dotnet blog: http://blogs.msdn.com/b/dotnet/archive/2015/07/28/ryujit-bug-advisory-in-the-net-framework-4-6.aspx

@wickedsheep

Thank you @mmitche.

@mmitche mmitche merged commit f579474 into dotnet:master Jul 29, 2015

1 check passed

default Build finished. No test results found.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment