Closed Bug 869529 Opened 12 years ago Closed 12 years ago

IonMonkey: LiveRangeAllocator assumes there always exists a block after the osrBlock (in post-order)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: djvj, Unassigned)

References

Details

Attachments

(1 file)

Fix.
1.21 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Found this helping track down dromaeo oranges for patch to bug 865059. LiveRangeAllocator::buildLivenessInfo uses a worklist of blocks in a loop to iterate through. When iterating to the next block in this list, it skips osrBlocks. However, it assumes that if the next block is an osrBlock, then the list contains at least one more non-osr block. This seems not to be the a valid assumption. At least, brian's scriptAnalysis patch in bug 865059 seems to trigger situations where this implicit assumption is no longer true. Before this fix, I was able to reproduce some crashes on dromaeo_css with the original patch for bug 865059 applied. After this issue is fixed, it doesn't show up, at least in debug builds. Will test more.
Attached patch Fix.Splinter Review
Attachment #746487 - Flags: review?(bhackett1024)
Attachment #746487 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/0a50d67075be
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Blocks: 875276
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: