Closed
Bug 609970
Opened 14 years ago
Closed 14 years ago
JM: Register syncing bug with heavy pressure, pinned registers
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | beta8+ |
People
(Reporter: dvander, Assigned: dvander)
References
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
1.74 KB,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
This bug was exposed by a setelem test case with bug592976. Under heavy register pressure, x86/ARM use the "immutable sync" algorithm. This accidentally sees pinned registers as free, and clobbers them.
For example:
slot 0 is pinned in EAX, and unsynced.
slot 1 is in memory.
slot 2 is a copy of slot 1, and unsynced.
Working backwards, we start syncing from slot 2. We need to allocate a register for the memory-to-memory move (slot 1 -> slot 2). It's okay to pick EAX, but only if we evict it first. Since it's pinned, we don't evict it, and simply clobber it.
When we go to sync slot 0, however, we *do* notice that it's pinned, and assume it hasn't been clobbered. But it is, and we write garbage to the stack.
Assignee | ||
Comment 1•14 years ago
|
||
Attachment #488537 -
Flags: review?(dmandelin)
Updated•14 years ago
|
Attachment #488537 -
Flags: review?(dmandelin) → review+
Assignee | ||
Comment 2•14 years ago
|
||
Whiteboard: fixed-in-tracemonkey
Updated•14 years ago
|
blocking2.0: --- → beta8+
Comment 3•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•