Closed Bug 1516693 Opened 5 years ago Closed 5 years ago

Correctly update framePushed_ in buildOOLFakeExitFrame()

Categories

(Core :: JavaScript Engine: JIT, enhancement)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
ARM64
Unspecified
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox66 --- fixed

People

(Reporter: sstangl, Assigned: sstangl)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

0001-ARM64-Correctly-update-framePushed_-in-buildOOLFakeE.patch
2.49 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
MacroAssemblerCompat::Push() is not the same as MacroAssembler::Push(). The former does a push() operation, while the latter updates framePushed_ and then calls MacroAssemblerCompat::Push().

buildOOLFakeExitFrame() on ARM64 erroneously called the former, causing crashes in Ion NativeGetterResult ICs.

Fixes jit-tests/tests/ion/ArrayLengthGetPropertyIC.js.

Note that we should probably rename MacroAssemblerCompat to MacroAssemblerARM64Compat to fit the naming scheme of the other architectures, but that's a much larger change and I didn't want the real change to get lost in the noise.
Attachment #9033574 - Flags: review?(nicolas.b.pierron)
Attachment #9033574 - Flags: review?(nicolas.b.pierron) → review+
Keywords: checkin-needed
Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/6a3570bb4ae0
ARM64: Correctly update framePushed_ in buildOOLFakeExitFrame(). r=nbp
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/6a3570bb4ae0
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox66: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: