Closed Bug 505416 Opened 15 years ago Closed 15 years ago

http://www.usatoday.com/ crash on sparc.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
Sun
Solaris
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.1 --- .2-fixed

People

(Reporter: leon.sha, Assigned: leon.sha)

References

(
URL
)

Details

(Keywords: crash, verified1.9.1)

Attachments

(3 files)

stack
13.92 KB, text/plain
Details
patch
670 bytes, patch
gal
: review+
samuel.sidler+old
: approval1.9.1.2+
Details | Diff | Splinter Review
stack with c++filt
14.08 KB, text/plain
Details
Attached file stack 
Visiting http://www.usatoday.com/ on sparc with the latest firefox, firefox will crash. If visiting this site with jit disabled, firefox will not crash.
leon sha: could you try to use c++filt in the future? :)
Attached patch patchSplinter Review 
The generated code look like this.
0xecce1638:	sethi    %hi(0xbff00000), %i0
0xecce163c:	bset     0x00000000, %i0	! 0xbff00000
0xecce1640:	st       %i0, [%fp - 8]
0xecce1644:	clr      %i0
0xecce1648:	st       %i0, [%fp - 4]
0xecce164c:	ldsw     [%fp - 4], %i0
0xecce1650:	ld       [%fp - 8], %f2
0xecce1654:	ld       [%fp - 4], %f3

"ldsw     [%fp - 4], %i0" is generated by registerAlloc. It will restore $io, but it is destroyed. Memory "%fp - 4" was allocated by "Reservation *rR = getresv(ins);" At that time registerAlloc not happened, so that memory should be free to use. But the same memory should not be accessed after registerAlloc. So in the assembler level it destroyed the memory first and use this memory to restore $i0.
Move registerAlloc to the top of asm_quad function can solve this problem. But since we just need a temporal register here, we use L2 instead.
Assignee: general → leon.sha
Status: NEW → ASSIGNED
Attachment #389658 - Flags: review?(gal)
Attached file stack with c++filt 

    
  

        Attachment #389658 -
        Flags: review?(gal) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/f43b639eecb8
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
  

        Attachment #389658 -
        Flags: approval1.9.1.2?

    
    

    
  
Comment on attachment 389658 [details] [diff] [review]
patch

This is a NPOTB code change. Should be safe to land mozilla-1.9.1 branch. For sparc it cause crash.

    
    

    
  
Comment on attachment 389658 [details] [diff] [review]
patch

Approved for 1.9.1.2. a=NPOTB, aka ss for release-drivers

Please land on mozilla-1.9.1 and use the ".2-fixed" option of the "status1.9.1" flag.

        Attachment #389658 -
        Flags: approval1.9.1.2? → approval1.9.1.2+

    
  
Keywords: verified1.9.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: