Closed Bug 718122 Opened 12 years ago Closed 12 years ago

IonMonkey: OSI register discrepancy between LIR and callVM

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: sstangl, Assigned: cdleary)

References

Details

Attachments

(1 file)

The LIR and callVM may have different output registers. Generally, the discrepancy is handled by the generated code for the LIR, which moves the output registers from callVM to the expected output registers.

The postSnapshot attached to the LIR contains the LIR output registers (not necessarily the callVM output registers).

When OSI occurs from within callVM, the necessary output register motion has not occurred. Therefore the registers loaded via the snapshot are incorrect, and we get nonsense behavior. Test case attached.
Assignee: general → christopher.leary
(In reply to Sean Stangl from comment #0)
> The LIR and callVM may have different output registers. Generally, the
> discrepancy is handled by the generated code for the LIR, which moves the
> output registers from callVM to the expected output registers.

This is exactly why the callVM instruction was supposed to be the last instruction executed.

> The postSnapshot attached to the LIR contains the LIR output registers (not
> necessarily the callVM output registers).
> 
> When OSI occurs from within callVM, the necessary output register motion has
> not occurred. Therefore the registers loaded via the snapshot are incorrect,
> and we get nonsense behavior. Test case attached.

You should replace the IonBailoutIterator (and get rid of it) by the SnapshotIterator which gives you a way to skip a slot if the slot is not a stack slot.

This is useful when the register you are looking for are not dumped yet. For your correctness issue, base on the type returned of the output slot of the snapshot (this need to be added to snapshots), you can look at the expected output register of callVM instead. (either ReturnReg, or JSReturnOperand)
Blocks: 701962
Added test case: http://hg.mozilla.org/projects/ionmonkey/rev/f6a781c960e2
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.