Closed
Bug 1046164
Opened 10 years ago
Closed 10 years ago
IonMonkey MIPS: Test ion/bug883490.js crashes on MIPS
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla34
People
(Reporter: rankov, Assigned: rankov)
Details
Attachments
(1 file, 1 obsolete file)
|
2.41 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
Test ion/bug883490.js crashes on MIPS with segfault.
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → branislav.rankov
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•10 years ago
|
||
The problem here was that GlobalReg is not restored on time. The branchTestMagic [1] jumps to the code generated by GenerateThrowStub which uses GlobalReg on line [2] [1] https://hg.mozilla.org/mozilla-central/file/08c23f12a43e/js/src/jit/AsmJS.cpp#l6376 [2] https://hg.mozilla.org/mozilla-central/file/08c23f12a43e/js/src/jit/AsmJS.cpp#l6749
Attachment #8464756 -
Flags: review?(luke)
|
||
Comment 2•10 years ago
|
||
Comment on attachment 8464756 [details] [diff] [review] Restore-GlobalReg.patch Review of attachment 8464756 [details] [diff] [review]: ----------------------------------------------------------------- Good fix! I wonder if this is a bug on ARM too... ::: js/src/jit/AsmJS.cpp @@ +6376,5 @@ > masm.loadPtr(Address(reg1, JitActivation::offsetOfPrevJitJSContext()), reg2); > masm.storePtr(reg2, Address(reg0, offsetOfJitJSContext)); > } > > + JS_ASSERT(masm.framePushed() == framePushed); Can you copy this assertion back to where it was originally?
|
|
Assignee | |
Comment 3•10 years ago
|
||
Attachment #8464756 -
Attachment is obsolete: true
Attachment #8464756 -
Flags: review?(luke)
Attachment #8464815 -
Flags: review?(luke)
|
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8464815 [details] [diff] [review] Restore-GlobalReg.patch You know, I was wrong, this assertion does belong right before the loadPtrs and GenerateAsmJSExitEpilogue already asserts masm.framePushed() == framePushed, so let's land the original patch exactly as r+'d.
Attachment #8464815 -
Flags: review?(luke)
|
|
||
Updated•10 years ago
|
Attachment #8464756 -
Attachment is obsolete: false
Attachment #8464756 -
Flags: review+
|
|
||
Updated•10 years ago
|
Attachment #8464815 -
Attachment is obsolete: true
|
||
Comment 5•10 years ago
|
||
(In reply to Luke Wagner [:luke] from comment #2) > Comment on attachment 8464756 [details] [diff] [review] > Restore-GlobalReg.patch > > Review of attachment 8464756 [details] [diff] [review]: > ----------------------------------------------------------------- > > Good fix! I wonder if this is a bug on ARM too... Yes, it looks like this would have affected the ARM too, but it did not show up in testing. Good to have it fixed.
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/59f51f567be1
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/59f51f567be1
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
|
||
Updated•10 years ago
|
QA Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•