Closed Bug 1495916 Opened Last year Closed Last year

Fix Bailouts in ARM64

Categories

(Core :: JavaScript Engine: JIT, defect, P2)

ARM64
Unspecified
defect

Tracking

()

RESOLVED FIXED
mozilla64
Tracking Status
firefox64 --- fixed

People

(Reporter: sstangl, Assigned: sstangl)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

Attached patch bailouts.patch (obsolete) — Splinter Review
The bailout code in ARM64 was broken, which manifested as a failure on every test that uses "--ion-eager --ion-offthread-compile=off" -- roughly 12,000 jit-test failures.

There were a number of problems. Discovering them took a while. The general strategy used was to place sentinel values on the stack and see how they mismatch with expected locations in the Bailout() handler.

The problems this fixes are:

1. The ARM64 code wasn't actually pushing all the registers, causing an off-by-32 error.
2. The ARM64 code wasn't pushing frameSize_.
3. The bailout handler return code was just wrong.

For testing, it looks like this behaves correctly for basic/FPQuadCmp.js, but unfortunately that test still fails for other reasons that should be addressed elsewhere.

I attempted to leave comments that would be helpful to myself in the case of having to reverse-engineer how this works again.
Attachment #9013859 - Flags: review?(jdemooij)
The #ifdef DEBUG code in PushBailoutFrame() isn't needed anymore, since the number of registers pushed is static.
Attachment #9013859 - Flags: review?(jdemooij) → review+
Priority: -- → P2
Attachment #9013859 - Attachment is obsolete: true
Attachment #9015690 - Flags: review+
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/acf3ccc27e1e
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
You need to log in before you can comment on or make changes to this bug.