Closed
Bug 718122
Opened 12 years ago
Closed 12 years ago
IonMonkey: OSI register discrepancy between LIR and callVM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: sstangl, Assigned: cdleary)
References
Details
Attachments
(1 file)
339 bytes,
text/plain
|
Details |
The LIR and callVM may have different output registers. Generally, the discrepancy is handled by the generated code for the LIR, which moves the output registers from callVM to the expected output registers. The postSnapshot attached to the LIR contains the LIR output registers (not necessarily the callVM output registers). When OSI occurs from within callVM, the necessary output register motion has not occurred. Therefore the registers loaded via the snapshot are incorrect, and we get nonsense behavior. Test case attached.
Assignee | ||
Updated•12 years ago
|
Assignee: general → christopher.leary
Comment 1•12 years ago
|
||
(In reply to Sean Stangl from comment #0) > The LIR and callVM may have different output registers. Generally, the > discrepancy is handled by the generated code for the LIR, which moves the > output registers from callVM to the expected output registers. This is exactly why the callVM instruction was supposed to be the last instruction executed. > The postSnapshot attached to the LIR contains the LIR output registers (not > necessarily the callVM output registers). > > When OSI occurs from within callVM, the necessary output register motion has > not occurred. Therefore the registers loaded via the snapshot are incorrect, > and we get nonsense behavior. Test case attached. You should replace the IonBailoutIterator (and get rid of it) by the SnapshotIterator which gives you a way to skip a slot if the slot is not a stack slot. This is useful when the register you are looking for are not dumped yet. For your correctness issue, base on the type returned of the output slot of the snapshot (this need to be added to snapshots), you can look at the expected output register of callVM instead. (either ReturnReg, or JSReturnOperand)
Added test case: http://hg.mozilla.org/projects/ionmonkey/rev/f6a781c960e2
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•