Last Comment Bug 694172 - IonMonkey: Greedy regalloc bug around calls
: IonMonkey: Greedy regalloc bug around calls
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
-- normal (vote)
: ---
Assigned To: David Anderson [:dvander]
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2011-10-12 15:37 PDT by David Anderson [:dvander]
Modified: 2011-10-12 17:48 PDT (History)
1 user (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (1.33 KB, patch)
2011-10-12 17:35 PDT, David Anderson [:dvander]
sstangl: review+
Details | Diff | Splinter Review

Description User image David Anderson [:dvander] 2011-10-12 15:37:17 PDT
Currently failing jit-test/tests/basic/bug532823.js and a bunch of others. We take the following bailout and then die in the interpreter with some bogus jsval.

Current resume point 0x858d0d8 details:
    taken at block 3 entry
    pc: 0x858bddf
    slot0: parameter1-vn2
    slot1: parameter3-vn4
    slot2: phi11-vn36
    slot3: phi13-vn38
[Snapshots] Generating LIR snapshot 0x8591d20 from MIR (0x858d0d8)
[Snapshots] Assigning snapshot 0x8591d20 to instruction 0x8591ce0 (callgeneric)
[Snapshots] Encoding snapshot 0x8591d20 (nfixed 4) (exprStack 0)
[Snapshots]     slot 0: value (t=144, d=140)
[Snapshots]     slot 1: value (t=152, d=edi)
[Snapshots]     slot 2: value (t=124, d=120)
[Snapshots]     slot 3: int32 (stack 108)
[Snapshots]     total size: 24 bytes (start 18)
Comment 1 User image David Anderson [:dvander] 2011-10-12 17:35:49 PDT
Created attachment 566700 [details] [diff] [review]

This fixes almost all of the failures. The snapshot has to be filled at the bottom of the instruction, not the top. This isn't ideal, it'll introduce more spills, but at least it's correct.
Comment 2 User image David Anderson [:dvander] 2011-10-12 17:48:47 PDT

Note You need to log in before you can comment on or make changes to this bug.