Closed Bug 685377 Opened 13 years ago Closed 13 years ago

IonMonkey: Incorrect bailout during argument construction.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 691603

People

(Reporter: sstangl, Assigned: dvander)

Details

Attachments

(2 files)

Bail out during argument construction.
761 bytes, application/javascript
Details
fix
12.80 KB, patch
sstangl
: review+
Details | Diff | Splinter Review 
The attached test case trips the following assertion on x86/x64 with --ion-eager:
> Assertion failure: GlobalIonContext, at /home/sstangl/dev/ionmonkey/js/src/ion/Ion.cpp:126

Some recent patches caused a reduced version of this testcase to unexpectedly pass.
Note that the problem is most likely due to a ResumePoint that is not at the start of the function call -- this is the first time we have non-idempotent instructions. Calling take_snapshot() (aliased to "h") creates a new ResumePoint.
Attached patch fixSplinter Review 
I can't reproduce the original bug, but the current crash is because bailout contexts can't stack, and we appear to be re-entering Ion code.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #560366 - Flags: review?(sstangl)
Comment on attachment 560366 [details] [diff] [review]
fix

Review of attachment 560366 [details] [diff] [review]:
-----------------------------------------------------------------

This patch is fine, but seems unrelated to this bug -- I can still reproduce it on x86 and x64.

::: js/src/tests/ecma_5/extensions/extension-methods-reject-null-undefined-this.js
@@ -1,1 @@
> -/*

This file probably shouldn't be removed? I'm unclear on why this is removed, and how it's related to this patch.

::: js/src/tests/ecma_5/misc/builtin-methods-reject-null-undefined-this.js
@@ -1,1 @@
> -/*

This file too.
Attachment #560366 - Flags: review?(sstangl) → review+
Are you sure? I can't reproduce it after this patch, which does address the assert in comment #0
Oh, you're right. That's strange: the original problem involved overflowing %rax, then attempting to restore the pre-overflow value from %rax for a bailout. I don't remember any patch in the interim addressing this problem... but can't complain.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: