[INFER] Fix copies too in fixDoubleTypes, bug 639567.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 07 Mar 2011 16:47:15 -0800
changeset 74728 0edb03210dacc201f7a6e5fecf1a0a9935fe22b6
parent 74727 9b576fe9baede54e1a1374c50b8cf9f772cf57b5
child 74729 38c06cbd699335a5914f936dd946cd33804defaa
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs639567
milestone2.0b12pre
[INFER] Fix copies too in fixDoubleTypes, bug 639567.
js/src/jit-test/tests/jaeger/bug639587.js
js/src/methodjit/FrameState.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug639587.js
@@ -0,0 +1,8 @@
+/* Don't assert. */
+
+function f(o) {
+  o == 1;
+    if (o == 2) {}
+}
+for (var i = 0; i < 20; i++)
+  f(3.14);
--- a/js/src/methodjit/FrameState.cpp
+++ b/js/src/methodjit/FrameState.cpp
@@ -1659,54 +1659,53 @@ FrameState::ensureDouble(FrameEntry *fe)
 {
     if (fe->isConstant()) {
         JS_ASSERT(fe->getValue().isInt32());
         Value newValue = DoubleValue(double(fe->getValue().toInt32()));
         fe->setConstant(Jsvalify(newValue));
         return;
     }
 
+    if (fe->isCopy())
+        fe = fe->copyOf();
+
     if (fe->isType(JSVAL_TYPE_DOUBLE))
         return;
 
-    FrameEntry *backing = fe;
-    if (fe->isCopy())
-        backing = fe->copyOf();
-
-    if (backing->isType(JSVAL_TYPE_DOUBLE)) {
-        /* The backing was converted to double already. */
-        fe->type.setConstant();
-        fe->knownType = JSVAL_TYPE_DOUBLE;
-        fe->typeSet = NULL;
-        return;
-    }
-
-    if (fe != backing) {
-        /* Forget this entry is a copy.  We are converting this entry, not the backing. */
-        fe->clear();
+    if (fe->isCopied()) {
+        /* Find and fixup the type for any copies of this entry. */
+        for (uint32 i = fe->trackerIndex() + 1; i < tracker.nentries; i++) {
+            FrameEntry *nfe = tracker[i];
+            if (nfe->isCopy() && nfe->copyOf() == fe) {
+                nfe->setType(JSVAL_TYPE_DOUBLE, NULL);
+                nfe->data.unsync();
+                nfe->type.unsync();
+            }
+        }
     }
 
     FPRegisterID fpreg = allocFPReg();
 
-    if (backing->isType(JSVAL_TYPE_INT32)) {
-        RegisterID data = tempRegForData(backing);
+    if (fe->isType(JSVAL_TYPE_INT32)) {
+        RegisterID data = tempRegForData(fe);
         masm.convertInt32ToDouble(data, fpreg);
     } else {
-        syncFe(backing);
-        masm.moveInt32OrDouble(addressOf(backing), fpreg);
+        syncFe(fe);
+        masm.moveInt32OrDouble(addressOf(fe), fpreg);
     }
 
     forgetAllRegs(fe);
     fe->resetUnsynced();
     fe->setType(JSVAL_TYPE_DOUBLE, NULL);
     fe->data.setFPRegister(fpreg);
     regstate(fpreg).associate(fe, RematInfo::DATA);
 
     fe->data.unsync();
     fe->type.unsync();
+
     return;
 }
 
 void
 FrameState::pushCopyOf(uint32 index)
 {
     FrameEntry *backing = entryFor(index);
     FrameEntry *fe = rawPush();