Closed Bug 493316 Opened 15 years ago Closed 15 years ago

Incorrect execution on bug 460050 testcase with MAX_BRANCHES=4

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 493657

People

(Reporter: bzbarsky, Assigned: gal)

References

(Blocks 1 open bug)

Details

BUILD: optimized js shell build from t-m rev a75d552b0c64 with the following local changes:

a) The v2 patch from bug 490364 applied
2) MAX_BRANCHES changed from 32 to 4 in jstracer.cpp

STEPS TO REPRODUCE: Run the full go game js shell testcase from bug 460050.  That would be attachment 377491 [details].  Do this with -j and without.

EXPECTED RESULTS: Identical output with and without jit enabled.

ACTUAL RESULTS: Different results with jit enabled and jit disabled.

ADDITIONAL INFORMATION: The problem doesn't seem to get triggered with MAX_BRANCHES=2 or MAX_BRANCHES=32.  I can reproduce it with MAX_BRANCHES=8, though.  The output in that case is identical to the MAX_BRANCHES=4 output.
Flags: blocking1.9.1?
Blocks: 460050
Oh, and in a debug build the output for MAX_BRANCHES=8 is also incorrect, and different from what it is in an opt build...
Assignee: general → graydon
Flags: blocking1.9.1? → blocking1.9.1+
Graydon is having some sort of canadian holiday. Stealing until then.
Assignee: graydon → gal
I can't reproduce this with a TM tip macosx debug shell. bz, can you check whether this still happens?
The steps from comment 0 still reproduce the bug, yes (just tested with MAX_BRANCHES=4).  That's in the optimized shell, also on OSX, and my tree is at rev 1806b6bc084b.

Let me try debug shell.
OK, a debug shell from that same rev with MAX_BRANCHES=4 shows incorrect output as well.
We have fixed https://bugzilla.mozilla.org/show_bug.cgi?id=493657, and that bug is a good explanation for why this bug occurred only with MAXBRANCHES=4. 493657 restored a wrong function object when side-exiting from within a trace. With a lower limit on max branches that happened more frequently. I haven't tested the full test case yet, but I am pretty certain this is fixed now.
Ok, I just verified that this is a dup of 493657 now. I need b+ for 493657, then we can dup this.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.