Last Comment Bug 679666 - TI+JM: rendering glitch with WebGL demo translated from C++ to JS
: TI+JM: rendering glitch with WebGL demo translated from C++ to JS
: regression
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- normal (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
: Jason Orendorff [:jorendorff]
: 679878 (view as bug list)
Depends on:
Blocks: infer-regress LandTI
  Show dependency treegraph
Reported: 2011-08-17 05:08 PDT by Jan de Mooij [:jandem]
Modified: 2011-08-18 10:16 PDT (History)
8 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Screenshot (TI disabled) (33.40 KB, image/png)
2011-08-17 05:14 PDT, Jan de Mooij [:jandem]
no flags Details
Screenshot (TI enabled) (46.28 KB, image/png)
2011-08-17 05:14 PDT, Jan de Mooij [:jandem]
no flags Details
Patch (5.38 KB, patch)
2011-08-18 06:45 PDT, Jan de Mooij [:jandem]
bhackett1024: review+
Details | Diff | Splinter Review

Description Jan de Mooij [:jandem] 2011-08-17 05:08:57 PDT
+++ This bug was initially created as a clone of Bug #678939 +++

This is a WebGL demo translated from C++ to JS. With TI+JM, the FPS counter on the left is rendered incorrectly. It works after disabling either JM or TI.

OS X 10.7, revision 427522c34b31, 32-bit build. Not a regression from bug 678939, I can reproduce with an older build.
Comment 1 Jan de Mooij [:jandem] 2011-08-17 05:14:05 PDT
Created attachment 553733 [details]
Screenshot (TI disabled)
Comment 2 Jan de Mooij [:jandem] 2011-08-17 05:14:43 PDT
Created attachment 553734 [details]
Screenshot (TI enabled)
Comment 3 Brian Hackett (:bhackett) 2011-08-17 05:24:47 PDT
Huh, WFM on the OS X 8/16 nightly.
Comment 4 Jan de Mooij [:jandem] 2011-08-17 05:25:19 PDT
Can only reproduce on 32-bit (after enabling "open in 32-bit mode" on OS X). 64-bit is OK.
Comment 5 Jan de Mooij [:jandem] 2011-08-17 05:32:32 PDT
(In reply to Brian Hackett from comment #3)
> Huh, WFM on the OS X 8/16 nightly.

See comment 4 - mid-air collision :( I also see this with a nightly build from last month (7/17). I will try a clean profile to make sure it's not related to some pref or extension..
Comment 6 Brian Hackett (:bhackett) 2011-08-17 05:37:12 PDT
OK, I can see the glitch on 32-bit.
Comment 7 Jan de Mooij [:jandem] 2011-08-17 05:48:12 PDT
I'm trying to bisect this now, current regression window is 06/30 - 07/17.
Comment 8 Jan de Mooij [:jandem] 2011-08-18 06:45:55 PDT
Created attachment 554067 [details] [diff] [review]

Regression from my TI+JM typed array patches. The problem is that convertForTypedArray (used by setelem_typed) called tempRegForData(value) twice, the second one inside a branch. This is only okay if the testInt32 between them does not quietly allocate a type register..

This allocates the type and data registers up front. I'm not entirely sure this is needed for the type register but better safe than sorry. This fixes dlmalloc (bug 679878) and should also fix this bug.
Comment 9 Jan de Mooij [:jandem] 2011-08-18 07:20:10 PDT
*** Bug 679878 has been marked as a duplicate of this bug. ***
Comment 10 Jan de Mooij [:jandem] 2011-08-18 10:16:32 PDT

Downloaded a tinderbox build and this works fine now.

Note You need to log in before you can comment on or make changes to this bug.