Closed Bug 836781 Opened 11 years ago Closed 11 years ago

BaselineCompiler: Fix bailouts from Ion frames with inlined NEW/FUNAPPLY ops (FUNCALL, once Ion inlines it)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: djvj, Unassigned)

References

Details

Attachments

(1 file)

Patch
17.21 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
Ion can have inlined frames invoked via a logical JSOP_NEW, JSOP_FUNAPPLY, etc.

When bailing out frames containing these inlined frames, resuming into baseline is buggy because the bailout code assumes we'll always be resuming into the Call_Scripted optimized stub, and we're not guaranteed that we have existing stubs on the stub chain handling the invoke ops being reconstructed.

In fact, even with JSOP_CALL this is a bug because the CALL stub could be gc-collected while ion code is running.
Solution plan:

We just need a unified, guaranteed-to-exist (i.e. not be GCed) way to resume into baseline code immediately AFTER a JOF_INVOKE operation.

We can use the jitcode for the ICCall_Fallback stub to do this.  Currently the jitcode just does a VM tailcall to DoCallFallback(), which handles the call manually and tries to attach stubs.

We can attach an "after-call" resume path after this VM tailcall.  The code will never be reached during actual baseline execution.  However, when bailing out from Ion, it can be used as a guaranteed return-addr that can be rejoined at with the correct semantics for all INVOKE operations.

Fallback stubs are never collected, while the baseline script is around, so we do not have to worry about collection getting in the way either.
Attached patch PatchSplinter Review 
The fix.

This also fixes a bug in the way arguments in BaselineStub and Rectifier frames were reconstructed when bailing from Ion.  The bug did not exhibit because the badly reconstructed arguments were never used (just discarded from the stack as we returned up the frame stack).
Attachment #708757 - Flags: review?(jdemooij)
Note: the patch seems to cause a new test failure in x64 jit-tets/check-bitops-nsieve-bits.js  (not a crash, but computing a wrong result).

Couldn't spot anything immediately obvious.  Need to look into that.
Comment on attachment 708757 [details] [diff] [review]
Patch

Review of attachment 708757 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.

(In reply to Kannan Vijayan [:djvj] from comment #3)
> Note: the patch seems to cause a new test failure in x64
> jit-tets/check-bitops-nsieve-bits.js  (not a crash, but computing a wrong
> result).

I noticed the same problem on x86 yesterday, so it seems unrelated to this patch.

::: js/src/ion/BaselineBailouts.cpp
@@ +721,4 @@
>      unsigned actualArgc = GET_ARGC(pc);
>      JS_ASSERT(actualArgc + 2 <= exprStackSlots);
>      for (unsigned i = 0; i < actualArgc + 1; i++) {
> +        // size_t argSlot = (script->nfixed + exprStackSlots) - (actualArgc + 1) + i;

Nit: delete comment.
Attachment #708757 - Flags: review?(jdemooij) → review+
Should this be marked FIXED?
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: