Closed
Bug 1354275
Opened 7 years ago
Closed 7 years ago
Ion: Inlining native calls need resume points if they throw
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
People
(Reporter: tcampbell, Assigned: tcampbell)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
59 bytes,
text/x-review-board-request
|
jandem
:
review+
jcristau
:
approval-mozilla-beta+
|
Details |
As explained in the comment at the top of |IonBuilder::visitThrow|, a throw must be preceded by a resume point or we risk getting stale data. This concern also exists when making VM calls that can throw. Specifically, inlining native methods that may throw can be missing a resume point. The other effect is when a bailout occurs during the exception, the resume point has a different pc than the call chain where the fault occurred. This complicates unwinding scopes and debugging.
|
Assignee | |
Comment 1•7 years ago
|
||
Testcase:
> // --ion-eager --ion-offthread-compile=off
> function f(t) {
> for (var i = 0; i < 2; i++) {
> try {
> var x = 1;
> Array(0);
> x = 2;
> Array(t);
> } catch (e) {
> assertEq(x, 2);
> }
> }
> }
>
> f(-1);|
|
Assignee | |
Comment 2•7 years ago
|
||
As discussed with :jandem, the problem seems to be missing resumeAfter calls for MIR nodes that may throw, such as MNewArrayDynamicLength.
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 4•7 years ago
|
||
A basic manual review looks like MNewArrayDynamicLength is the only obviously incorrect case. Submitting a patch to get this fixed. Marking as leave-open because I'd like to put together an experiment on if there are other cases we can through without having a correct resume point.
Keywords: leave-open
|
|
Assignee | |
Updated•7 years ago
|
status-firefox52:
--- → wontfix
status-firefox53:
--- → wontfix
status-firefox54:
--- → affected
status-firefox55:
--- → affected
|
||
Comment 5•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8856529 [details] Bug 1354275 - Fix handling of Array() throwing in Ion https://reviewboard.mozilla.org/r/128482/#review131990 Sorry for the delay.
Attachment #8856529 -
Flags: review?(jdemooij) → review+
Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/9590ce12459c Fix handling of Array() throwing in Ion r=jandem
|
|
Assignee | |
Comment 7•7 years ago
|
||
Comment on attachment 8856529 [details] Bug 1354275 - Fix handling of Array() throwing in Ion Approval Request Comment [Feature/Bug causing the regression]: Introduced by Bug 1100513. [User impact if declined]: Rare cases cause javascript to generate incorrect value. See Comment 1. [Is this code covered by automated tests?]: Test case included in patch. [Has the fix been verified in Nightly?]: Waiting for autoland merge. Try builds fix the included automated jit-test. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: Low [Why is the change risky/not risky?]: This patch adds a missing ResumePoint to a specific MIR node in IonMonkey. ResumePoints are used for MIR nodes with side-effects (most of them), but can be avoided as a performance improvement. In this cases the ResumePoint was left out when the operation does have side-effect concerns. [String changes made/needed]: No.
Attachment #8856529 -
Flags: approval-mozilla-aurora?
|
||
Comment 8•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/9590ce12459c
|
||
Comment 9•7 years ago
|
||
Comment on attachment 8856529 [details] Bug 1354275 - Fix handling of Array() throwing in Ion 54 was merged to Beta today.
Attachment #8856529 -
Flags: approval-mozilla-aurora? → approval-mozilla-beta?
|
||
Comment 10•7 years ago
|
||
Comment on attachment 8856529 [details] Bug 1354275 - Fix handling of Array() throwing in Ion ion fix for beta54, should be in b3
Attachment #8856529 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
Assignee | |
Comment 11•7 years ago
|
||
Cherry-pick from central -> beta applies cleanly on my end. Can someone apply to real repository? I'm unclear on the steps for uplifts.
Keywords: checkin-needed
|
|
Assignee | |
Updated•7 years ago
|
Keywords: checkin-needed
|
|
||
Comment 12•7 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-beta/rev/4bde1b05f7bf
Flags: in-testsuite+
|
||
Comment 13•7 years ago
|
||
(In reply to Ted Campbell [:tcampbell] from comment #7) > [Is this code covered by automated tests?]: > Test case included in patch. > [Needs manual test from QE? If yes, steps to reproduce]: > No. Setting qe-verify- based on Ted's assessment on manual testing needs and the fact that this fix has automated coverage.
Flags: qe-verify-
|
|
Assignee | |
Updated•7 years ago
|
|
|
Assignee | |
Comment 14•7 years ago
|
||
Follow-up work moved to Bug 1365758. The specific case discussed in this bug is fixed, so closing bug.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
||
Comment 15•6 years ago
|
||
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in
before you can comment on or make changes to this bug.
Description
•