Closed Bug 885660 Opened 11 years ago Closed 11 years ago

JSIL raytracer demo fails to load unless debugger is active

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
23 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25
Tracking Flags:
Tracking Status
firefox22 --- unaffected
firefox23 + fixed
firefox24 + fixed
firefox25 --- verified

People

(Reporter: kael, Assigned: jandem)

Details

(Keywords: regression)

Attachments

(3 files)

Test case
1.46 MB, application/zip
Details
Shell testcase
720 bytes, application/x-javascript
Details
Patch
5.61 KB, patch
djvj
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file Test case 
A recent change to the JS engine has caused the JSIL raytracer demo to fail to load unless the built-in debugger is active.

It fails with this error message:

Unhandled exception at http://127.0.0.1:81/Libraries/JSIL.Core.js line 6719:
TypeError: assembly is undefined

If the built in debugger is active the page loads normally and no exceptions (handled or otherwise) are thrown.

The test case still works in IE and older builds of Firefox.

Mozregression window:
Last good nightly: 2013-05-08
First bad nightly: 2013-05-09
Regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b980d32c366f&tochange=ea059733677c

Suspected bug:
Boris Zbarsky — Bug 869040. Fix ion IC for non-overridebuiltins named gets on ListBase proxies to not cache lack of a property when it's just missing on the prototype. r=djvj

Workaround:
javascript.options.ion.content = false fixes the issue.
Assignee: general → nobody
Blocks: 869040
Severity: blocker → normal
status-firefox22: --- → unaffected
status-firefox23: --- → ?
status-firefox24: --- → ?
Component: JavaScript Engine → DOM
Keywords: regression
Ccing the people who actually know jit stuff...
Assignee: nobody → general
Component: DOM → JavaScript Engine
Regression window(m-c)
Good:
http://hg.mozilla.org/mozilla-central/rev/dea5219d6b43
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130508 Firefox/23.0 ID:20130508210518
Bad:
http://hg.mozilla.org/mozilla-central/rev/ea059733677c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130508 Firefox/23.0 ID:20130508211818
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dea5219d6b43&tochange=ea059733677c

Regression window(m-c)
Good:
http://hg.mozilla.org/integration/mozilla-inbound/rev/1c05e7a9e51c
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130508 Firefox/23.0 ID:20130508095549
Bad:
http://hg.mozilla.org/integration/mozilla-inbound/rev/469e647ccbf5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20130508 Firefox/23.0 ID:20130508104708
Pushlog:
http://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=1c05e7a9e51c&tochange=469e647ccbf5
Blocks: 868042
No longer blocks: 869040
Bug 868042 regressing this is unlikely, it probably exposed an existing bug. I'll investigate.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attached file Shell testcase 
Small shell testcase. Throws an error with default flags. Does not throw with --no-ion. We are bailing out in JSIL.GetTypeInternal and somehow context becomes |undefined|.
No longer blocks: 868042
Attached patch PatchSplinter Review 
What's happening is that we have a snapshot like this:

formal x: undefined (constant)
local y : LArgument (x's slot)

We bailout and overwrite the argument on the stack with UndefinedValue(). When we get to the local, we read the |undefined| Value from the stack instead of the original Value that was stored there. The argument is never really undefined, but due to UCE / phi elimination we think the formal is unused when we bailout and store undefined in the snapshot.

The patch fixes this by storing the formals in a Vector and only writing them to the stack at the end of the bailout.
Attachment #766702 - Flags: review?(kvijayan)
Comment on attachment 766702 [details] [diff] [review]
Patch

Review of attachment 766702 [details] [diff] [review]:
-----------------------------------------------------------------

Nice find.
Attachment #766702 - Flags: review?(kvijayan) → review+
Which bug regressed that?
(In reply to Loic from comment #9)
> Which bug regressed that?

I think the Baseline Compiler landing, though for this particular testcase it was only a problem after some other changes landed.
Comment on attachment 766702 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Most likely the new Baseline compiler (introduced in Firefox 23)
User impact if declined: Correctness bugs, probably NULL-deref crashes
Testing completed (on m-c, etc.): On m-i
Risk to taking this patch (and alternatives if risky): Very low
String or IDL/UUID changes made by this patch: None
Attachment #766702 - Flags: approval-mozilla-beta?
Attachment #766702 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/cbaa841e8f2b
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Attachment #766702 - Flags: approval-mozilla-beta?
Attachment #766702 - Flags: approval-mozilla-beta+
Attachment #766702 - Flags: approval-mozilla-aurora?
Attachment #766702 - Flags: approval-mozilla-aurora+
Keywords: verifyme
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
Build ID: 20130917123208

Verified as fixed on Firefox 25 beta 1 - the raytracer demo loads fine without an active debugger.
status-firefox25: fixedverified
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: