Closed Bug 694172 Opened 14 years ago Closed 14 years ago

IonMonkey: Greedy regalloc bug around calls

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dvander, Assigned: dvander)

Details

Attachments

(1 file)

fix
1.33 KB, patch
sstangl
: review+
Details | Diff | Splinter Review
Currently failing jit-test/tests/basic/bug532823.js and a bunch of others. We take the following bailout and then die in the interpreter with some bogus jsval. Current resume point 0x858d0d8 details: taken at block 3 entry pc: 0x858bddf slot0: parameter1-vn2 slot1: parameter3-vn4 slot2: phi11-vn36 slot3: phi13-vn38 [Snapshots] Generating LIR snapshot 0x8591d20 from MIR (0x858d0d8) [Snapshots] Assigning snapshot 0x8591d20 to instruction 0x8591ce0 (callgeneric) [Snapshots] Encoding snapshot 0x8591d20 (nfixed 4) (exprStack 0) [Snapshots] slot 0: value (t=144, d=140) [Snapshots] slot 1: value (t=152, d=edi) [Snapshots] slot 2: value (t=124, d=120) [Snapshots] slot 3: int32 (stack 108) [Snapshots] total size: 24 bytes (start 18)
Attached patch fixSplinter Review
This fixes almost all of the failures. The snapshot has to be filled at the bottom of the instruction, not the top. This isn't ideal, it'll introduce more spills, but at least it's correct.
Attachment #566700 - Flags: review?(sstangl)
Attachment #566700 - Flags: review?(sstangl) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/043ea5aee853
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: