Closed Bug 658389 Opened 13 years ago Closed 13 years ago

MIPS JIT occasionally generates invalid epilogue code

Categories

(Tamarin Graveyard :: Baseline JIT (CodegenLIR), defect, P2)

Other
Linux
defect

Tracking

(Not tracked)

RESOLVED FIXED
Q3 11 - Serrano

People

(Reporter: chris, Assigned: wmaddox)

Details

(Whiteboard: fixed-in-nanojit,fixed-in-tamarin-redux,fixed-in-tracemonkey)

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110422 Ubuntu/10.10 (maverick) Firefox/3.6.17
Build Identifier: 

A missing underunProtect allows the jit to generate a jr instruction with a jump instruction in the branch delay slot.


Reproducible: Sometimes

Steps to Reproduce:
Noticed when running the spidermonkey/js1_5/Array/regress-108440.abc acceptance tests, but it could happen any time the code page is switched while the jit is emitting the last 2 instructions of the epilogue code


Actual Results:  
-sh-4.0# $AVM -Ojit spidermonkey/js1_5/Array/regress-108440.abc
STATUS: Shouldn't crash trying to add an array as an element of itself
Illegal instruction

Expected Results:  
-sh-4.0# $AVM -Ojit spidermonkey/js1_5/Array/regress-108440.abc
STATUS: Shouldn't crash trying to add an array as an element of itself
 = No Crash PASSED!
Attachment #533798 - Flags: review?(wmaddox)
Comment on attachment 533798 [details] [diff] [review]
avoid switching code pages when generating epilogue code

Review of attachment 533798 [details] [diff] [review]:
-----------------------------------------------------------------

This looks good, but please audit the code for other instances of delay slots if you have not done so already.
Attachment #533798 - Flags: review?(wmaddox) → review+
Assigning to myself, as I don't believe Chris has commit privileges.
Assignee: nobody → wmaddox
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Target Milestone: --- → Q3 11 - Serrano
I did check before submitting the patch, but I've looked over it again and
think that all of the other cases are covered.
Bill: Can we land the patch and close the bug?
Pushed to nanojit-central:

http://hg.mozilla.org/projects/nanojit-central/rev/9ffbe7d3623c
Whiteboard: fixed-in-nanojit
changeset: 6335:56cf56416096
user:      William Maddox <wmaddox@adobe.com>
summary:   Bug 658389 - Make sure branch and delay slot remain contiguous in function epilogue [chris@mips.com] (r=wmaddox)

http://hg.mozilla.org/tamarin-redux/rev/56cf56416096
Whiteboard: fixed-in-nanojit → fixed-in-nanojit,fixed-in-tamarin
Whiteboard: fixed-in-nanojit,fixed-in-tamarin → fixed-in-nanojit,fixed-in-tamarin-redux
This can be closed, yes?
Flags: flashplayer-qrb+
Flags: flashplayer-injection-
Flags: flashplayer-bug+
Priority: -- → P2
Whiteboard: fixed-in-nanojit,fixed-in-tamarin-redux → fixed-in-nanojit,fixed-in-tamarin-redux, loose-end
(In reply to Dan Smith from comment #9)
> This can be closed, yes?

The bug is awaiting confirmation that the nanojit changes have been pulled into Tracemonkey.  With respect to Tamarin, the issue is resolved.
How can we move this along?  The patch was submitted in May in Tamarin.
Confirmed patch is in Tracemonkey:

http://hg.mozilla.org/tracemonkey/rev/35706009a1e4
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-nanojit,fixed-in-tamarin-redux, loose-end → fixed-in-nanojit,fixed-in-tamarin-redux,fixed-in-tracemonkey
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: