Open Bug 787050 Opened 12 years ago Updated 2 years ago

IonMonkey: not rejoining properly from invalidation within instanceof GetPropertyCache

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
macOS
Type:
defect

Tracking

()

People

(Reporter: bhackett1024, Unassigned)

References

Details

(Whiteboard: [ion:p2])

Attachments

(1 file)

patch to trigger failure
862 bytes, patch
Details | Diff | Splinter Review 
JSOP_INSTANCEOF is implemented using a GetPropertyCache, and if the VM call made by that cache invalidates the calling code then the value pushed by the instanceof is incorrect.  The easiest way to reproduce this is to apply the attached patch, which will discard code when GetPropertyCache is called via instanceof.  This will cause several jit-tests to start failing, and also the following example:

function foo() {
  print(foo instanceof Function);
}
foo();

> js test.js
true

> js --ion-eager test.js
function () {
}
Urgh, I thought I had reasoned invalidation wouldn't happen normally. JSC splits INSTANCEOF into multiple opcodes which would make this a lot easier...
Not sure how hard it is to trigger this without the patch. Marking as lower priority for now.
Whiteboard: [ion:p2]
Blocks: 814177
Assignee: general → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: