The default bug view has changed. See this FAQ.

SpiderMonkey can use stale script analysis when debug mode is turned on

RESOLVED FIXED in mozilla11

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: jimb, Assigned: jimb)

Tracking

unspecified
mozilla11
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Created attachment 579556 [details] [diff] [review]
Ensure that JM compilation doesn't used out-of-date ScriptAnalysis structures.

The contents of a ScriptAnalysis depend on the value of debugMode; for example, see the way usesReturnValue_ gets set in ScriptAnalysis::analyzeByteCode. In some cases, the compiler may try to use a ScriptAnalysis created before debug mode was turned on to generate code when debug mode is on, leading to... Undesirable Consequences [orchestra spike].

Some tests in js/src/jit-test/tests/debug cause the assertions in the attached patch to fail, if you comment out the call to JSScript::clearAnalysis that it adds.
Attachment #579556 - Flags: review?(bhackett1024)
(Assignee)

Updated

5 years ago
Blocks: 674171
(Assignee)

Updated

5 years ago
Assignee: general → jimb
OS: Linux → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla11
(Assignee)

Updated

5 years ago
Flags: in-testsuite+
Attachment #579556 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 1

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/7a0d03046d42
Status: NEW → ASSIGNED
(Assignee)

Comment 2

5 years ago
Try server run:
https://tbpl.mozilla.org/?tree=Try&rev=48fe5b5d6aa3
https://hg.mozilla.org/mozilla-central/rev/7a0d03046d42
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.