Jesse Ruderman Reporter
	Description • 12 years ago

With:

  user_pref("javascript.options.ion.parallel_compilation", false);
  user_pref("javascript.options.methodjit.content", false);

And a build compiled with:

  --enable-debug
  --enable-optimize (!!)

Various bad things happening after ion-compiling the function:

  function domthrows() { document.documentElement.appendChild(null); }

Regression from bug 839116 part 2?

	Jesse Ruderman Reporter
	Comment 1 • 12 years ago

Assertion failure: !JS_IsExceptionPending(cx), at js/src/jsiter.cpp:737

In js_ThrowStopIteration

	Jesse Ruderman Reporter
	Comment 3 • 12 years ago

Our Tinderbox debug builds are built with --enable-optimize, so you should be able to reproduce the bug using e.g.

https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1362259729/

	Boris Zbarsky [:bzbarsky] Assignee
	Comment 4 • 12 years ago

> Regression from bug 839116 part 2?

For appendChild on the <html>, perhaps.  What about:

  var xhr = new XMLHttpRequest();
  function domthrows() { xhr.open();  }

?  I don't see what the DOM code could possibly be doing to make this complicated for the jit per se, except if the specialized Ion codepath for DOM calls is busted.

	Boris Zbarsky [:bzbarsky] Assignee
	Comment 5 • 12 years ago

So as expected, turning off the code bug 773549 added makes this problem go away.

I checked, and we never take the target->jitInfo()->isInfallible branch in CodeGenerator::visitCallDOMNative, which is not surprising.  So we are in fact generating the exception-handling code the other branch puts in....

Here's what JIT Inspector has to say about domthrows() when I write it per comment 4:

[CallDOMNative]
... set up the call ...
call       *%rax
addq       $0x8, %rsp
pop        %rsp
testl      %eax, %eax
je         ((279))
movq       0x30(%rsp), %rcx
jmp        ((289))
##link     ((279)) jumps to ((289))
subq       $0x8, %rsp
movq       %rsp, %rax
movq       %rsp, %rcx
andq       $0xfffffff0, %rsp
push       %rcx
subq       $0x8, %rsp
movq       %rax, %rdi
movl       %esp, %eax
testq      $0xf, %rax
je         ((326))
int3
##link     ((326)) jumps to ((327))
movabsq    $0x101446870, %rax
call       *%rax
addq       $0x8, %rsp
pop        %rsp
movabsq    $0xfffa00000000000f, %rcx
movq       0x0(%rsp), %rsp
ret
##link     ((289)) jumps to ((359))
addq       $0x38, %rsp

and then we have the [TypeBarrier].

Sean, does that (and the code in CodeGenerator::visitCallDOMNative in general) look obviously wrong in some way?

	Boris Zbarsky [:bzbarsky] Assignee
	Comment 6 • 12 years ago

And actually requesting needinfo from Sean... ;)

	Jan de Mooij [:jandem]
	Comment 8 • 12 years ago

Comment on attachment 721285 [details] [diff] [review]
Fix the "did the DOM call throw?" test in IonMonkey to check the return value correctly.

Review of attachment 721285 [details] [diff] [review]:
-----------------------------------------------------------------

Don't we have to fix GetDOMProperty and SetDOMProperty too, since they have a similar check? r=me with that addressed.

	Boris Zbarsky [:bzbarsky] Assignee
	Comment 9 • 12 years ago

> Don't we have to fix GetDOMProperty and SetDOMProperty too

Nice catch.  I can't come up with a testcase that fails for those, but of course whether we fail depends on what's in the register....

	Boris Zbarsky [:bzbarsky] Assignee
	Comment 10 • 12 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/da51c5373da5

Jan, do you think we should backport this to branches?

	Jan de Mooij [:jandem]
	Comment 11 • 12 years ago

(In reply to Boris Zbarsky (:bz) from comment #10)
> Jan, do you think we should backport this to branches?

Not sure how critical/common this issue is, but it would be good to backport imo. The fix is simple and we use similar code elsewhere. The main problem I see is that there's no branchTestBool on beta (aurora has it though), but should be easy to backport that, just a few lines of code.

	Boris Zbarsky [:bzbarsky] Assignee
	Comment 13 • 12 years ago

Comment on attachment 721285 [details] [diff] [review]
Fix the "did the DOM call throw?" test in IonMonkey to check the return value correctly.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 773549
User impact if declined: Possible incorrect behavior for some websites; more
   easily hit now that more objects are on WebIDL bindings.
Testing completed (on m-c, etc.): Passes attached test.
Risk to taking this patch (and alternatives if risky): Risk should be quite low.
String or UUID changes made by this patch: None.

	Ed Morley [:emorley]
	Comment 14 • 12 years ago

https://hg.mozilla.org/mozilla-central/rev/da51c5373da5

	Lukas Blakk [:lsblakk] use ?needinfo
	Comment 15 • 12 years ago

Comment on attachment 721383 [details] [diff] [review]
Beta patch

Looks good, let's get this in soon so we have some bake time in beta 4/5 to make sure there's no unexpected fallout before shipping.

	Ryan VanderMeulen [:RyanVM]
	Comment 16 • 12 years ago

https://hg.mozilla.org/releases/mozilla-aurora/rev/8323e52f55db
https://hg.mozilla.org/releases/mozilla-beta/rev/1a2504b4c344