Closed Bug 677163 Opened 13 years ago Closed 13 years ago

IonMonkey: Incorrect interpreter state from bailout with greedy register allocator

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: adrake, Assigned: dvander)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Attached file Test case
The attached test case bails due to a guard failure the integer unboxing of an "undefined" value. With --ion-licm=off --ion-gvn=off --ion-regalloc=greedy --ion, the interpreter state is such that the program loops infinitely. The behavior with ion disabled and LSRA is to terminate with "undefined".
Attached patch fixSplinter Review
Bug in the compact encoding for signed integers.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #551966 - Flags: review?(adrake)
Comment on attachment 551966 [details] [diff] [review]
fix

Review of attachment 551966 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/CompactBuffer.h
@@ +102,5 @@
> +        bool more = !!(b & (1 << 1));
> +        int32 result = b >> 2;
> +        if (more)
> +            result |= readUnsigned() << 6;
> +        if (isSigned)

isNegative?

@@ +137,5 @@
>              value >>= 7;
>          } while (value);
>      }
> +    void writeSigned(int32 v) {
> +        bool isSigned = v < 0;

And here
Attachment #551966 - Flags: review?(adrake) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/af7791387bef w/ nits
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.