Closed Bug 677163 Opened 13 years ago Closed 13 years ago

IonMonkey: Incorrect interpreter state from bailout with greedy register allocator

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: adrake, Assigned: dvander)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Test case
(deleted), application/javascript
Details
fix
(deleted), patch
adrake
: review+
Details | Diff | Splinter Review
Attached file Test case (deleted) —
The attached test case bails due to a guard failure the integer unboxing of an "undefined" value. With --ion-licm=off --ion-gvn=off --ion-regalloc=greedy --ion, the interpreter state is such that the program loops infinitely. The behavior with ion disabled and LSRA is to terminate with "undefined".
Attached patch fix (deleted) — Splinter Review
Bug in the compact encoding for signed integers.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #551966 - Flags: review?(adrake)
Comment on attachment 551966 [details] [diff] [review] fix Review of attachment 551966 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/CompactBuffer.h @@ +102,5 @@ > + bool more = !!(b & (1 << 1)); > + int32 result = b >> 2; > + if (more) > + result |= readUnsigned() << 6; > + if (isSigned) isNegative? @@ +137,5 @@ > value >>= 7; > } while (value); > } > + void writeSigned(int32 v) { > + bool isSigned = v < 0; And here
Attachment #551966 - Flags: review?(adrake) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/af7791387bef w/ nits
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: