SpiderMonkey can use stale script analysis when debug mode is turned on

RESOLVED FIXED in mozilla11

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jimb, Assigned: jimb)

Tracking

unspecified
mozilla11
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
Created attachment 579556 [details] [diff] [review]
Ensure that JM compilation doesn't used out-of-date ScriptAnalysis structures.

The contents of a ScriptAnalysis depend on the value of debugMode; for example, see the way usesReturnValue_ gets set in ScriptAnalysis::analyzeByteCode. In some cases, the compiler may try to use a ScriptAnalysis created before debug mode was turned on to generate code when debug mode is on, leading to... Undesirable Consequences [orchestra spike].

Some tests in js/src/jit-test/tests/debug cause the assertions in the attached patch to fail, if you comment out the call to JSScript::clearAnalysis that it adds.
Attachment #579556 - Flags: review?(bhackett1024)
(Assignee)

Updated

6 years ago
Blocks: 674171
(Assignee)

Updated

6 years ago
Assignee: general → jimb
OS: Linux → All
Hardware: x86_64 → All
Target Milestone: --- → mozilla11
(Assignee)

Updated

6 years ago
Flags: in-testsuite+
Attachment #579556 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 1

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/7a0d03046d42
Status: NEW → ASSIGNED
(Assignee)

Comment 2

6 years ago
Try server run:
https://tbpl.mozilla.org/?tree=Try&rev=48fe5b5d6aa3

Comment 3

6 years ago
https://hg.mozilla.org/mozilla-central/rev/7a0d03046d42
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.