IonMonkey: Assertion failure: &cx->regs() == &activation->oldFrameRegs(), at Bailouts.cpp:271

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: adrake, Assigned: dvander)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 552046 [details]
Test case

Attached test case asserts on ionmonkey tip on x86 debug, with or without gvn, licm, or lsra.
(Assignee)

Comment 1

6 years ago
Created attachment 552223 [details] [diff] [review]
fix

The stack logic was wrong in bailouts.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #552223 - Flags: review?(sstangl)
Comment on attachment 552223 [details] [diff] [review]
fix

Review of attachment 552223 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/x64/Trampoline-x64.cpp
@@ +214,5 @@
>  
> +    // Stack is:
> +    //     [frame]
> +    //     snapshotOffset
> +    //     frameSize

Based on the code below, this appears to be the number of pointer-sized values in the frame, not the size of the frame. "frameSize" is ambiguous. "frameValues"?

@@ +223,1 @@
>      masm.pop(rcx);

// frameValues

@@ +223,2 @@
>      masm.pop(rcx);
> +    masm.lea(Operand(rsp, rcx, TimesOne, 8), rsp);

sizeof(void *)

::: js/src/ion/x86/Trampoline-x86.cpp
@@ +228,5 @@
>      if (frameClass == NO_FRAME_SIZE_CLASS_ID) {
> +        // Stack is:
> +        //    [frame]
> +        //    snapshotOffset
> +        //    frameSize

Same as with x64.

@@ +235,2 @@
>          masm.pop(ecx);
> +        masm.lea(Operand(esp, ecx, TimesOne, 4), esp);

sizeof(void *)
Attachment #552223 - Flags: review?(sstangl) → review+
(Assignee)

Comment 3

6 years ago
(In reply to Sean Stangl from comment #2)
> Based on the code below, this appears to be the number of pointer-sized
> values in the frame, not the size of the frame. "frameSize" is ambiguous.
> "frameValues"?

It's the size of the frame, in bytes (the scale is TimesOne). So far the nomenclature is leaning toward:
  * size   - count in bytes
  * slots  - count in STACK_SLOT_SIZE increments
  * values - count in # of js::Values

http://hg.mozilla.org/projects/ionmonkey/rev/97ac85295f20

Updated

6 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.