Closed Bug 725067 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ js::gc::ChunkBitmap::markIfUnmarked]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(3 files)

part 1: split MGenericSetProperty up
17.31 KB, patch
jandem
: review+
Details | Diff | Splinter Review
part 2, rename LCacheSetProperty to LSetPropertyCache
7.72 KB, patch
jandem
: review+
Details | Diff | Splinter Review
part 3, fix the bug
3.88 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on ionmonkey revision d66c148e0756 (run with --ion -n), tested on 64 bit: var o0 = []; var o4 = {}; var o5 = Math; function f6(o) { o[("Keywords")] = o;}; for(var i=0; i<20; i++) { f6(o0); f6(o4); f6(o5); } gc();
The bug here is that lhs == rhs in the register allocator, and then we generate code like: push lhs mov [lhs.slots], lhs mov rhs, [lhs] pop lhs So we just need to get an extra register. But before that I'd like to refactor the SetProperty stuff so it looks more like GetProperty/GetElement.
This patch splits MGenericSetProperty into MCallSetProperty and MSetPropertyCache. LCallSetPropertyV/T are then combined into one unspecialized LCallSetProperty.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #595519 - Flags: review?(jdemooij)
Comment on attachment 595519 [details] [diff] [review] part 1: split MGenericSetProperty up Review of attachment 595519 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/MIR.h @@ +2959,5 @@ > bool strict_; > + > + protected: > + MSetPropertyInstruction(MDefinition *obj, MDefinition *value, JSAtom *atom, > + bool strict) Nit: this needs some extra spaces
Attachment #595519 - Flags: review?(jdemooij) → review+
Comment on attachment 595521 [details] [diff] [review] part 2, rename LCacheSetProperty to LSetPropertyCache Review of attachment 595521 [details] [diff] [review]: ----------------------------------------------------------------- What about renaming GetPropertyCache so these instructions use either a Call* or a Cache* prefix?
Attachment #595521 - Flags: review?(jdemooij) → review+
Attachment #595537 - Flags: review?(jdemooij) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/9cd94217ee4f http://hg.mozilla.org/projects/ionmonkey/rev/d546f1b141b9 http://hg.mozilla.org/projects/ionmonkey/rev/28c66941856b I think I prefer Call/Cache as suffixes, but it's not a strong preference.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug725067.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: