Closed
Bug 1063328
Opened 10 years ago
Closed 10 years ago
[jsdbg2] Debug mode OSR doesn't correctly handle live iterators on the stack when bailing out in-place due to propagate an exception
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla36
People
(Reporter: shu, Assigned: shu)
References
Details
Attachments
(1 file)
|
5.70 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
As a refresher, first consider a call to a function |triggerDebugModeAndThrow()| in Ion. Debug mode OSR will bail out Ion->Baseline in place and resume directly into the baseline exception handler as to deal with onExceptionUnwind. However, this happens before the function itself returns, which means the ResumePoint for the function call is unable to reconstruct the expression stack, which expects the return value of the function to be pushed. For this reason, in-place resumptions due to debug mode currently uses the JS_OPTIMIZED_OUT placeholder for the entire expression stack.
However, now consider the following:
var obj = { foo: 42 };
for (var k in obj)
triggerDebugModeOSRAndThrow();
There is a live for-in iterator on the stack, which debug mode OSR currently doesn't deal with correctly.
|
Assignee | |
Comment 1•10 years ago
|
||
Tests fail with my patches from bug 1032869 landed. I couldn't find a
non-convoluted way to test for this behavior currently.
Attachment #8485326 -
Flags: review?(jdemooij)
|
||
Updated•10 years ago
|
Attachment #8485326 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 2•10 years ago
|
||
|
||
Comment 3•10 years ago
|
||
Assignee: nobody → shu
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in
before you can comment on or make changes to this bug.
Description
•