Last Comment Bug 718122 - IonMonkey: OSI register discrepancy between LIR and callVM
: IonMonkey: OSI register discrepancy between LIR and callVM
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: x86 Linux
: -- normal (vote)
: ---
Assigned To: Chris Leary [:cdleary] (not checking bugmail)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on: 722238
Blocks: 701962
  Show dependency treegraph
 
Reported: 2012-01-13 17:35 PST by Sean Stangl [:sstangl]
Modified: 2012-02-01 15:01 PST (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Test case failing with --ion -n. (339 bytes, text/plain)
2012-01-13 17:35 PST, Sean Stangl [:sstangl]
no flags Details

Description Sean Stangl [:sstangl] 2012-01-13 17:35:43 PST
Created attachment 588568 [details]
Test case failing with --ion -n.

The LIR and callVM may have different output registers. Generally, the discrepancy is handled by the generated code for the LIR, which moves the output registers from callVM to the expected output registers.

The postSnapshot attached to the LIR contains the LIR output registers (not necessarily the callVM output registers).

When OSI occurs from within callVM, the necessary output register motion has not occurred. Therefore the registers loaded via the snapshot are incorrect, and we get nonsense behavior. Test case attached.
Comment 1 Nicolas B. Pierron [:nbp] 2012-01-13 21:43:01 PST
(In reply to Sean Stangl from comment #0)
> The LIR and callVM may have different output registers. Generally, the
> discrepancy is handled by the generated code for the LIR, which moves the
> output registers from callVM to the expected output registers.

This is exactly why the callVM instruction was supposed to be the last instruction executed.

> The postSnapshot attached to the LIR contains the LIR output registers (not
> necessarily the callVM output registers).
> 
> When OSI occurs from within callVM, the necessary output register motion has
> not occurred. Therefore the registers loaded via the snapshot are incorrect,
> and we get nonsense behavior. Test case attached.

You should replace the IonBailoutIterator (and get rid of it) by the SnapshotIterator which gives you a way to skip a slot if the slot is not a stack slot.

This is useful when the register you are looking for are not dumped yet. For your correctness issue, base on the type returned of the output slot of the snapshot (this need to be added to snapshots), you can look at the expected output register of callVM instead. (either ReturnReg, or JSReturnOperand)
Comment 2 David Anderson [:dvander] 2012-02-01 15:01:53 PST
Added test case: http://hg.mozilla.org/projects/ionmonkey/rev/f6a781c960e2

Note You need to log in before you can comment on or make changes to this bug.