Closed Bug 733248 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ PushMarkStack [inlined]]

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Attachments

(2 files)

stack 13 years ago Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) 7.09 KB, text/plain		Details
fix 13 years ago David Anderson [:dvander] - inactive, e-mail if emergency 4.72 KB, patch	nbp : review+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

13 years ago

Attached file stack — Details

The upcoming attached testcase crashes js opt shell on IonMonkey changeset 1fd6c40d3852 with -m, -a, --ion and -n at PushMarkStack [inlined]

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 2

•

13 years ago

Tested on js 64-bit opt shell in Mac OS X Lion. On further testing, only --ion and -n seem to be needed.

David Anderson [:dvander] - inactive, e-mail if emergency

Assignee

Comment 3

•

13 years ago

Attached patch fix — Details — Splinter Review

Bug that has bitten us since the TM days. Some x86 compilers (MSVC for sure, apparently clang too) use 8-bit register to handle "bool", and we were testing the full 32-bits, which could lead to seeing a false return value as true.

Assignee: general → dvander

Status: NEW → ASSIGNED

Attachment #605211 - Flags: review?(nicolas.b.pierron)

Nicolas B. Pierron [:nbp]

Comment 4

•

13 years ago

Comment on attachment 605211 [details] [diff] [review] fix Review of attachment 605211 [details] [diff] [review]: ----------------------------------------------------------------- Apply nits and r=me. ::: js/src/assembler/assembler/X86Assembler.h @@ +1276,5 @@ > + void testb_rr(RegisterID src, RegisterID dst) > + { > + js::JaegerSpew(js::JSpew_Insns, > + IPFX "testb %s, %s\n", MAYBE_PAD, > + nameIReg(4,src), nameIReg(4,dst)); nit: nameIReg(4,dst) --> nameIReg(1,dst) ::: js/src/ion/shared/Assembler-x86-shared.h @@ +501,5 @@ > void setCC(Condition cond, const Register &r) { > masm.setCC_r(static_cast<JSC::X86Assembler::Condition>(cond), r.code()); > } > + void testb(const Register &lhs, const Register &rhs) { > + masm.testb_rr(rhs.code(), lhs.code()); nit: Make sure that registers can be interpreted as byte registers. JS_ASSERT(GeneralRegisterSet(Registers::SingleByteRegs).has(lhs)); JS_ASSERT(GeneralRegisterSet(Registers::SingleByteRegs).has(rhs));

Attachment #605211 - Flags: review?(nicolas.b.pierron) → review+

David Anderson [:dvander] - inactive, e-mail if emergency

Assignee

Comment 5

•

13 years ago

http://hg.mozilla.org/projects/ionmonkey/rev/1052d3eb7a78

Status: ASSIGNED → RESOLVED

Closed: 13 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

IonMonkey: Crash [@ PushMarkStack [inlined]]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 2

Comment 3

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type