Closed
Bug 904079
Opened 11 years ago
Closed 11 years ago
IonMonkey: MBox(MConstant) emits an LValue for every snapshot that captures it
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla26
People
(Reporter: jandem, Assigned: jandem)
References
Details
Attachments
(1 file)
2.78 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
MBox(MConstant) is emitted-at-uses and this can cause us to emit an LValue for every snapshot that captures this MBox. Not only is this a silly performance problem (the value is a constant so these moves and register uses for every snapshot are totally unnecessary), it also breaks Ion's try-catch implementation if there's an LValue between an instruction and the LOsiPoint that follows it. decoder found the testcase I added (the first test in bug 902978 comment 6). This patch also asserts snapshot uses other than constants are not emitted-at-uses, to avoid similar bugs in the future.
Attachment #788962 -
Flags: review?(bhackett1024)
Updated•11 years ago
|
Attachment #788962 -
Flags: review?(bhackett1024) → review+
Comment 1•11 years ago
|
||
Comment on attachment 788962 [details] [diff] [review] Patch Review of attachment 788962 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/shared/Lowering-shared.cpp @@ +90,5 @@ > > + // Snapshot operands other than constants should never be > + // emitted-at-uses. Try-catch support depends on there being no > + // code between an instruction and the LOsiPoint that follows it. > + JS_ASSERT_IF(!ins->isConstant(), !ins->isEmittedAtUses()); We should just *never* call ensureDefined below and check that the instruction is either emitted at uses or lowered. This is not only wrong with Try-cacth, but also with any call. the LOsiPoint must always directly succeed the instruction which requires a safepoint.
Assignee | ||
Comment 2•11 years ago
|
||
Pushed with the ensureDefined call removed and the x64 code updated as well. https://hg.mozilla.org/integration/mozilla-inbound/rev/0dcadb754626 https://tbpl.mozilla.org/?tree=Try&rev=9e008b0e71f5
Comment 3•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0dcadb754626
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
You need to log in
before you can comment on or make changes to this bug.
Description
•