Closed
Bug 685377
Opened 13 years ago
Closed 13 years ago
IonMonkey: Incorrect bailout during argument construction.
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 691603
People
(Reporter: sstangl, Assigned: dvander)
Details
Attachments
(2 files)
761 bytes,
application/javascript
|
Details | |
12.80 KB,
patch
|
sstangl
:
review+
|
Details | Diff | Splinter Review |
The attached test case trips the following assertion on x86/x64 with --ion-eager:
> Assertion failure: GlobalIonContext, at /home/sstangl/dev/ionmonkey/js/src/ion/Ion.cpp:126
Some recent patches caused a reduced version of this testcase to unexpectedly pass.
Reporter | ||
Comment 1•13 years ago
|
||
Note that the problem is most likely due to a ResumePoint that is not at the start of the function call -- this is the first time we have non-idempotent instructions. Calling take_snapshot() (aliased to "h") creates a new ResumePoint.
Assignee | ||
Comment 2•13 years ago
|
||
I can't reproduce the original bug, but the current crash is because bailout contexts can't stack, and we appear to be re-entering Ion code.
Reporter | ||
Comment 3•13 years ago
|
||
Comment on attachment 560366 [details] [diff] [review] fix Review of attachment 560366 [details] [diff] [review]: ----------------------------------------------------------------- This patch is fine, but seems unrelated to this bug -- I can still reproduce it on x86 and x64. ::: js/src/tests/ecma_5/extensions/extension-methods-reject-null-undefined-this.js @@ -1,1 @@ > -/* This file probably shouldn't be removed? I'm unclear on why this is removed, and how it's related to this patch. ::: js/src/tests/ecma_5/misc/builtin-methods-reject-null-undefined-this.js @@ -1,1 @@ > -/* This file too.
Attachment #560366 -
Flags: review?(sstangl) → review+
Assignee | ||
Comment 4•13 years ago
|
||
Are you sure? I can't reproduce it after this patch, which does address the assert in comment #0
Reporter | ||
Comment 5•13 years ago
|
||
Oh, you're right. That's strange: the original problem involved overflowing %rax, then attempting to restore the pre-overflow value from %rax for a bailout. I don't remember any patch in the interim addressing this problem... but can't complain.
Assignee | ||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•