677871 - IonMonkey: Assertion failure: &cx->regs() == &activation->oldFrameRegs(), at Bailouts.cpp:271

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Andrew Drake [:adrake]]

Attachment: Test case

Attached test case asserts on ionmonkey tip on x86 debug, with or without gvn, licm, or lsra.

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

The stack logic was wrong in bailouts.

Comment 2

[Sean Stangl [:sstangl]]

Comment on attachment 552223 [details] [diff] [review]
fix

Review of attachment 552223 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/x64/Trampoline-x64.cpp
@@ +214,5 @@
>  
> +    // Stack is:
> +    //     [frame]
> +    //     snapshotOffset
> +    //     frameSize

Based on the code below, this appears to be the number of pointer-sized values in the frame, not the size of the frame. "frameSize" is ambiguous. "frameValues"?

@@ +223,1 @@
>      masm.pop(rcx);

// frameValues

@@ +223,2 @@
>      masm.pop(rcx);
> +    masm.lea(Operand(rsp, rcx, TimesOne, 8), rsp);

sizeof(void *)

::: js/src/ion/x86/Trampoline-x86.cpp
@@ +228,5 @@
>      if (frameClass == NO_FRAME_SIZE_CLASS_ID) {
> +        // Stack is:
> +        //    [frame]
> +        //    snapshotOffset
> +        //    frameSize

Same as with x64.

@@ +235,2 @@
>          masm.pop(ecx);
> +        masm.lea(Operand(esp, ecx, TimesOne, 4), esp);

sizeof(void *)

Comment 3

[David Anderson [:dvander] - inactive, e-mail if emergency]

(In reply to Sean Stangl from comment #2)
> Based on the code below, this appears to be the number of pointer-sized
> values in the frame, not the size of the frame. "frameSize" is ambiguous.
> "frameValues"?

It's the size of the frame, in bytes (the scale is TimesOne). So far the nomenclature is leaning toward:
  * size   - count in bytes
  * slots  - count in STACK_SLOT_SIZE increments
  * values - count in # of js::Values

http://hg.mozilla.org/projects/ionmonkey/rev/97ac85295f20