Closed Bug 582084 Opened 14 years ago Closed 14 years ago

JM: jsreftest browser crash on e4x/decompilation/regress-352013.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: dmandelin, Assigned: dmandelin)

References

Details

Attachments

(2 files)

Patch
(deleted), patch
dvander
: review+
Details | Diff | Splinter Review
Call pushNumber() patch.
(deleted), patch
Details | Diff | Splinter Review 
The crash is in stubs::Add, where the rval is tagged as a string but has payload 0x1.
What commit was this tested with? http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/c31210b66d0c fixed a syncing bug in the Add slowpath that sounds like this.
It is in today's tip.

Cause: the fast path for JSOP_(INC|DEC)GLOBAL doesn't store a type tag. So it stores an int payload but leaves a stale type tag.
Attached patch Patch (deleted) — Splinter Review 
I'm not really sure exactly what the conditions on pushNumber are supposed to be, but it seems like something different is wanted by globalinc, so I just made a new function to push an int32.

It looks like this may cost us 1 ms on SS, but it's hard to tell with such a small change. I can file a followup bug on trying out holding the tag in a register after this lands.
Attachment #460370 - Flags: review?(dvander)
(In reply to comment #3)
> Created attachment 460370 [details] [diff] [review]

FrameState::pushInt32() is the same as FrameState::pushNumber(foo, true). The problem is just that the true flag was not passed -- causing pushNumber() to mark the typed as synced in memory, when it was never actually written.
Attached patch Call pushNumber() patch. (deleted) — Splinter Review 
Patch implementing above suggestion. The pushInt32() approach might be cleaner -- but then the purpose of pushNumber() is dubious.
There is also the option of pushUntypedPayload(reg, JSVAL_INT32_TAG), which I think used to be used in jsop_globalinc.
Comment on attachment 460370 [details] [diff] [review]
Patch


>     /*
>+     * Pushes an int32 onto the operation stack.
>+     */
>+    inline void pushInt32(RegisterID payload);

This should probably say that it's related to pushNumber, and that int32 is a soft guarantee. i.e. "The caller guarantees that an int32 has been pushed on the inline path, and that if a double was written on the OOL path, it has been synced to memory."
Attachment #460370 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/jaegermonkey/rev/0ed57d1c4172
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: