Created attachment 520955 [details]
freetype - two versions
This is similar and perhaps related to bug 643635.
Um, this shouldn't be a security sensitive bug - I guess I clicked the wrong button when filing it.
I don't see a way to undo that...?
Created attachment 521047 [details]
freetype - gcc version
An additional build of FreeType, this time with llvm-gcc (other ones were with clang).
This build crashes with -j (with the same arguments as before), unlike the other ones. Otherwise it is similar, no JITs works, -m gives incorrect output (0's).
The patch in bug 643829 does not fix this. Reducing...
Created attachment 522098 [details]
My laptop spent most of yesterday attacking this 214,755 lines monster. Let's hope there's only one bug here ;)
$ ./js -m -a test.js
test.js:22: Error: Assertion failed: got (void 0), expected 0
Looks a lot like bug 642569 (>50 locals)
Created attachment 522105 [details]
This one may be easier to debug.
Reduced testcase passes now but Freetype still fails with |-m -n| (incorrect result) so I'll probably have to reduce this again..
Looks like this happens on tracemonkey too, so it might not be a TI bug. Filed bug 648769.
Output is still incorrect with -n, I'll reduce this now.
Jan: This is still a problem on tracemonkey, so it is likely not a TI issue, as mentioned in comment #7. If you can reduce for tracemonkey for bug 648769, though, that would be extremely useful - we are having a hard time finding the cause by bisection!
(In reply to comment #9)
> Jan: This is still a problem on tracemonkey, so it is likely not a TI issue, as
> mentioned in comment #7.
I'm using freetype_gcc_1_1.js. It works with -m, but with -m -n it prints incorrect values.
> If you can reduce for tracemonkey for bug 648769,
> though, that would be extremely useful - we are having a hard time finding the
> cause by bisection!
Hm can't reproduce, will post details in the other bug.
Created attachment 526473 [details]
This fails with |-m -n| and |-m -n -a|:
test.js:20: Error: Assertion failed: got false, expected true
It looks like it's evicting the result of $rec = $rec + 1 because it decides $rec is dead.
Bingo. When running the liveness analysis on loop bodies, we initially assume that if the variable is dead after the loop it will be dead at the backedge too, and need to go and insert new lifetime segments if it is found to be live at the loop head. This was broken though and did not insert new segments if the variable was written in the middle of the loop and those writes did not dominate the back edge.