IonMonkey: OSI register discrepancy between LIR and callVM

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: sstangl, Assigned: cdleary)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 588568 [details]
Test case failing with --ion -n.

The LIR and callVM may have different output registers. Generally, the discrepancy is handled by the generated code for the LIR, which moves the output registers from callVM to the expected output registers.

The postSnapshot attached to the LIR contains the LIR output registers (not necessarily the callVM output registers).

When OSI occurs from within callVM, the necessary output register motion has not occurred. Therefore the registers loaded via the snapshot are incorrect, and we get nonsense behavior. Test case attached.
Assignee: general → christopher.leary
(In reply to Sean Stangl from comment #0)
> The LIR and callVM may have different output registers. Generally, the
> discrepancy is handled by the generated code for the LIR, which moves the
> output registers from callVM to the expected output registers.

This is exactly why the callVM instruction was supposed to be the last instruction executed.

> The postSnapshot attached to the LIR contains the LIR output registers (not
> necessarily the callVM output registers).
> 
> When OSI occurs from within callVM, the necessary output register motion has
> not occurred. Therefore the registers loaded via the snapshot are incorrect,
> and we get nonsense behavior. Test case attached.

You should replace the IonBailoutIterator (and get rid of it) by the SnapshotIterator which gives you a way to skip a slot if the slot is not a stack slot.

This is useful when the register you are looking for are not dumped yet. For your correctness issue, base on the type returned of the output slot of the snapshot (this need to be added to snapshots), you can look at the expected output register of callVM instead. (either ReturnReg, or JSReturnOperand)
(Reporter)

Updated

6 years ago
Blocks: 701962
Depends on: 722238
Added test case: http://hg.mozilla.org/projects/ionmonkey/rev/f6a781c960e2
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.