Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 749486 - js::ToInt32 broken when it gets inlined
: js::ToInt32 broken when it gets inlined
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: ARM Linux
: -- normal (vote)
: mozilla15
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2012-04-26 19:23 PDT by Marty Rosenberg [:mjrosenb]
Modified: 2012-04-29 14:43 PDT (History)
2 users (show)
ryanvm: in‑testsuite-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

/home/mrosenberg/patches/fix_input-r1.patch (914 bytes, patch)
2012-04-26 19:23 PDT, Marty Rosenberg [:mjrosenb]
Jacob.Bramley: review+
Details | Diff | Splinter Review

Description Marty Rosenberg [:mjrosenb] 2012-04-26 19:23:45 PDT
Created attachment 618898 [details] [diff] [review]

This one is against m-i, not IonMonkey.  The GNU asm blob that does the toInt32 conversion is correct, but it marks |d| as an input register, meaning that the value in those registers should remain unchanged.  For the most part, since the function is nothing but that statement, this is fine.  However, if the function gets inlined, gcc expects the (possibly not dead) value of d to remain unchanged, and in fact actively uses it after the call to ToInt32 in js_Array.  By specifing d as input/output, gcc assumes that the value of d has been changed in some unexpected way, and therefor cannot be eliminated as being the same as the argument to the function when inlining.
Comment 1 Jacob Bramley [:jbramley] 2012-04-27 01:10:57 PDT
Comment on attachment 618898 [details] [diff] [review]

Review of attachment 618898 [details] [diff] [review]:

Ooh, nasty!

The fix looks good.
Comment 2 Ryan VanderMeulen [:RyanVM] 2012-04-29 14:43:11 PDT

Note You need to log in before you can comment on or make changes to this bug.