1311287 - wasm: Baseline JIT forgets to free register after setglobal

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect, P1)

Description

[Lars T Hansen [:lth]]

Test case:

new WebAssembly.Module(wasmTextToBinary(`(module
 (global $mut_local (mut i32) (i32.const 0))
 (global $imm_local i32 (i32.const 37))
 (import $imported "globals" "x" (global i32))
 (func $get (result i32)
  i32.const 13
  set_global $mut_local
  get_global $imported
  get_global $mut_local
  i32.add
  get_global $imm_local
  i32.add
 )
 (export "run" $get)
)`));

This asserts:
Assertion failure: isAvailable(r), at /code/mozilla-inbound/js/src/asmjs/WasmBaselineCompile.cpp:657

The reason is that the joinReg is not available, and the reason it is not available is that it got used by setglobal but not freed.

Comment 1

[Lars T Hansen [:lth]]

Attachment: bug1311287-free-reg.patch

Free the register after setGlobal.

(In general I think we want an assertion in the main decoding loop that checks that the registers are invariant: at the outset, we have some register set, and after each iteration the union of the available registers and the registers on the evaluation stack equals the initial register set.  That's followup work.)

Comment 2

[Benjamin Bouvier [:bbouvier] (inactive)]

Comment on attachment 8802441 [details] [diff] [review]
bug1311287-free-reg.patch

Review of attachment 8802441 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!

Comment 3

[Lars T Hansen [:lth]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/e2da3bb6654f97a7139b53ef3e77e4603a5310f5
Bug 1311287 - free register after setglobal.  r=bbouvier

Comment 4

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/e2da3bb6654f