686381 - IonMonkey: Compile JSOP_AND

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Comment 1

[Jan de Mooij [:jandem]]

I have a patch to compile JSOP_AND and JSOP_OR, will clean-up and attach next week.

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

With this patch we fail basic/shapelessCalleeTest.js with --ion-eager, same assert as bug 691598. I was able to reduce it to a test without AND/OR:
--
function f(a, b, c) {
    a();
}
f();
--
Seems to be bug 691598, or do you want me to file a separate bug?

Comment 3

[Jan de Mooij [:jandem]]

Attachment: Follow-up fix

While fuzzing this a bit I noticed there's a problem with bailouts. Consider this expression:

X && Y

If we bail-out at Y, the snapshot of the RHS block assumes X is still on the stack (X is popped immediately after taking the snapshot). The interpreter, however, assumes JSOP_AND already popped X.

The simplest fix is to change JSOP_AND and JSOP_OR to always leave the value on the stack, and insert a JSOP_POP right before the RHS.

I can probably land this patch on m-c first.

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

Comment on attachment 571961 [details] [diff] [review]
Follow-up fix

Review of attachment 571961 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, would be good to land the non-ion changes on m-c first.

Comment 5

[Jan de Mooij [:jandem]]

I will land these patches tomorrow (after the nightly -> aurora merge).

Comment 6

[Jan de Mooij [:jandem]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/97dc5c8ab41b

Please don't close this bug, I still have to land the other patch on the IM branch.

Comment 7

[Marco Bonardo [:mak]]

https://hg.mozilla.org/mozilla-central/rev/97dc5c8ab41b

Comment 8

[Jan de Mooij [:jandem]]

http://hg.mozilla.org/projects/ionmonkey/rev/bb133d578f86