Closed Bug 688327 Opened 8 years ago Closed 8 years ago

spidermonkey shell (Debug build) runs code incorrectly when both -m -D are specified


(Core :: JavaScript Engine, defect)

Not set





(Reporter: djf, Unassigned)



(4 files)

The attached test calls Object.defineProperty() in some vaguely interesting ways, but doesn't actually do anything.  Invoke it in the spidermonkey shell and it runs to completion and exits.

But, if you run it with -D and -m it throws a TypeError.  It runs fine with either -D or -m alone, though, so it is some interaction between the PCCOUNTS and the method jit.  Note that the test case just calls the same function 17 times.  The 17th fails, and I'm guessing that the method jit kicks in after the 16th execution...
Summary: spidermonkey shell runs code incorrectly when both -m -D are specified → spidermonkey shell (Debug build) runs code incorrectly when both -m -D are specified
Attached file gdb stack trace
I generated this stack trace by setting breakpoint in JS_ReportErrorNumber and running a debugging build of the spidermonkey shell with -D and -m and the attached test case.

I was able to verify that at stack frame 5, the first argument to Object.defineProperty() call was not tagged as an object.  But in stack frame #10, before method jitting begins, args.base()[2] is indeed an object.

So the args are getting corrupted somewhere, but the code is too opaque for me to figure it out.  Perhaps at mystery stack frame #6?
djf, can you try this patch on your example? It fixes mine. bhackett looked at it and figured it out in no time.
Attachment #561900 - Flags: feedback?(dflanagan)
The patch fixes the issue for me.  Thanks!
Attachment #561900 - Flags: feedback?(dflanagan) → feedback+
Comment on attachment 561900 [details] [diff] [review]
inline stub calls can keep more registers live

We can carry callee-saved registers live across a FASTCALL, so using AvailRegs (aka SavedRegs | TempRegs) is incorrect.
Attachment #561900 - Flags: review?(dvander)
Attachment #561900 - Flags: review?(dvander) → review+
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
You need to log in before you can comment on or make changes to this bug.