Closed Bug 688327 Opened 13 years ago Closed 13 years ago

spidermonkey shell (Debug build) runs code incorrectly when both -m -D are specified

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla9

People

(Reporter: djf, Unassigned)

Details

Attachments

(4 files)

Test case. Run with -D -m and pipe stdout to a file to hide all the -D output so you can see the TypeError
726 bytes, text/x-c
Details
gdb stack trace
3.02 KB, text/plain
Details
JM spew of problematic code sequence
6.38 KB, text/plain
Details
inline stub calls can keep more registers live
850 bytes, patch
dvander
: review+
djf
: feedback+
Details | Diff | Splinter Review 
The attached test calls Object.defineProperty() in some vaguely interesting ways, but doesn't actually do anything.  Invoke it in the spidermonkey shell and it runs to completion and exits.

But, if you run it with -D and -m it throws a TypeError.  It runs fine with either -D or -m alone, though, so it is some interaction between the PCCOUNTS and the method jit.  Note that the test case just calls the same function 17 times.  The 17th fails, and I'm guessing that the method jit kicks in after the 16th execution...
Summary: spidermonkey shell runs code incorrectly when both -m -D are specified → spidermonkey shell (Debug build) runs code incorrectly when both -m -D are specified
Attached file gdb stack trace 
I generated this stack trace by setting breakpoint in JS_ReportErrorNumber and running a debugging build of the spidermonkey shell with -D and -m and the attached test case.

I was able to verify that at stack frame 5, the first argument to Object.defineProperty() call was not tagged as an object.  But in stack frame #10, before method jitting begins, args.base()[2] is indeed an object.

So the args are getting corrupted somewhere, but the code is too opaque for me to figure it out.  Perhaps at mystery stack frame #6?
djf, can you try this patch on your example? It fixes mine. bhackett looked at it and figured it out in no time.
Attachment #561900 - Flags: feedback?(dflanagan)
The patch fixes the issue for me.  Thanks!
Attachment #561900 - Flags: feedback?(dflanagan) → feedback+
Comment on attachment 561900 [details] [diff] [review]
inline stub calls can keep more registers live

We can carry callee-saved registers live across a FASTCALL, so using AvailRegs (aka SavedRegs | TempRegs) is incorrect.
Attachment #561900 - Flags: review?(dvander)
Attachment #561900 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/ee8a3069dc4c
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: