Open Bug 819729 Opened 12 years ago Updated 2 years ago

IonMonkey: js::ion::CanEnter invalidate its callee when creating the this object with js_CreateThisForFunction.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: nbp, Unassigned)

References

(Depends on 1 open bug)

Details

With a patch for Bug 803710, I noticed multiple identical compilations on when running --no-jm ./jit-test/tests/ion/bug741241.js . Apparently, the type of This of the inner function line 30 is not provided for the next recompilation and the function keep being recompiled identically. (gdb) bt #0 0x00000000008a2f5d in js::ion::IonRuntime::ifRecompilationWarn (this=0xf662b0, script=0x7fffeea107c0) at /home/nicolas/mozilla/ionmonkey/js/src/ion/Ion.cpp:272 #1 0x000000000050f8e9 in js::types::TypeCompartment::addPendingRecompile (this=0xf4fba8, cx=0xf456f0, info=...) at /home/nicolas/mozilla/ionmonkey/js/src/jsinfer.cpp:2565 #2 0x000000000050fd01 in js::types::TypeCompartment::addPendingRecompile (this=0xf4fba8, cx=0xf456f0, script=..., pc=0x0) at /home/nicolas/mozilla/ionmonkey/js/src/jsinfer.cpp:2638 #3 0x000000000050e138 in AddPendingRecompile (cx=0xf456f0, script=..., pc=0x0, kind=RECOMPILE_NONE) at /home/nicolas/mozilla/ionmonkey/js/src/jsinfer.cpp:2054 #4 0x000000000050e30f in TypeConstraintFreezeStack::newType (this=0xf70870, cx=0xf456f0, source=0xf83460, type=...) at /home/nicolas/mozilla/ionmonkey/js/src/jsinfer.cpp:2107 #5 0x000000000046e80e in js::types::TypeCompartment::resolvePending (this=0xf4fba8, cx=0xf456f0) at /home/nicolas/mozilla/ionmonkey/js/src/jsinferinlines.h:1093 #6 0x000000000046ee1e in js::types::TypeSet::addType (this=0xf83460, cx=0xf456f0, type=...) at /home/nicolas/mozilla/ionmonkey/js/src/jsinferinlines.h:1412 #7 0x00000000005080e7 in js::types::TypeScript::SetThis (cx=0xf456f0, script=..., type=...) at /home/nicolas/mozilla/ionmonkey/js/src/jsinferinlines.h:982 #8 0x0000000000575b72 in js_CreateThisForFunctionWithProto (cx=0xf456f0, callee=..., proto=0x7fffeea2ace0) at /home/nicolas/mozilla/ionmonkey/js/src/jsobj.cpp:2370 #9 0x0000000000575cba in js_CreateThisForFunction (cx=0xf456f0, callee=..., newType=false) at /home/nicolas/mozilla/ionmonkey/js/src/jsobj.cpp:2387 #10 0x00000000008a6917 in js::ion::CanEnter (cx=0xf456f0, script=..., fp=0x7fffefbbc138, newType=false) at /home/nicolas/mozilla/ionmonkey/js/src/ion/Ion.cpp:1555
Depends on: 803710
Assignee: general → nobody
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.