Closed
Bug 639882
Opened 15 years ago
Closed 15 years ago
TI+JM: crash in mjit generated code
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jandem, Unassigned)
References
Details
(Whiteboard: fixed-in-jaegermonkey)
--
var x = 2;
x = -(x == 3);
--
Crashes with -m -n -a in mjit code.
|
||
Comment 1•15 years ago
|
||
Hmm, the problem is that when we recompile on the neg, the global object from the bindgname in 'x = ...' has not been synced because it is thought to be a constant, and in the recompiled code we do a stub call on the 'x == 3' that syncs and forgets it is a constant.
The idea for dealing with this sort of thing was to keep constants and copies consistent across recompilations. As it stands, this is more wishful thinking than an invariant that can reasonably be enforced, and as this bug shows the consequences of inconsistencies are crashes in JIT code (woot).
I think that variables and the stack should always be fully synced when making a call. This will free constraints on constants/copies across recompilations, removing this big landmine, and will I think be necessary for scripted call inlining anyways --- one of the most important reasons to inline is to constant/copy-propagate the arguments and 'this', and when recompiling there is no guarantee we will be able to inline anymore and will need to reconstruct a stack where there are no constants/copies in the inner function. This shouldn't ding perf much; will primarily add earlier syncs for known constant/copy locals and args, and the number of calls we make from JIT code is trending down (when you make a call you're already behind the curve perf-wise).
|
|
||
Comment 2•15 years ago
|
||
This hurt perf on SS by maybe 2-3ms.
http://hg.mozilla.org/projects/jaegermonkey/rev/ed4cccfd3e39
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•