Closed Bug 668643 Opened 10 years ago Closed 10 years ago

TI+JM: No comply demo crashes in mjit-generated code

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

(Blocks 1 open bug,
URL
)

Details

https://mozillademos.org/demos/nocomply/demo.html

crashes on OS X, both 32-bit and 64-bit, using a nightly build from revision ffddf68888de.

It looks like a crash in LICM code:
======
0x3650d11:	call   0x13b1d00 <_ZN2js4mjit5stubs16InvariantFailureERNS_7VMFrameEPv>
0x3650d16:	mov    0x1c(%esp),%ebp

// Hoisted dense array slots?
0x3650d1a:	cmpl   $0xffff0007,0x3c(%ebp)
0x3650d21:	jne    0x3650dc4
0x3650d27:	mov    0x38(%ebp),%ebx
0x3650d2a:	mov    0x24(%ebx),%ebx
0x3650d2d:	mov    %ebx,0xf0(%ebp)

// Hoisted bounds check?
0x3650d33:	mov    0xf8(%ebp),%ebx
0x3650d39:	mov    0x10(%ebx),%ebx <= CRASH
0x3650d3c:	mov    0x58(%ebp),%edx
0x3650d3f:	cmp    %edx,%ebx
0x3650d41:	jle    0x3650dc4

0x3650d47:	cmpl   $0xffff0007,-0x4(%ebp)
0x3650d4e:	jne    0x3650dc4
======
ebx has value 139 so it looks like 0xf8(%ebp) is bogus
Kind of tricky (yeah, LICM), when removing redundant hoisted checks in a loop we could violate constraints on how the invariant entries must be ordered.  In this case we are hoisting a check on an access on an array which is itself a loop invaraint property access.  We reordered the check before the invariant entry which computed the array itself, so when we tried to read the temporary at 0xf8 it hadn't been filled in yet (if you disassemble more the writes to 0xf8 appear later).  The fix preserves ordering constraints when removing redundant loop invariant entries.

http://hg.mozilla.org/projects/jaegermonkey/rev/90768623f7ec
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.