[INFER] Fix bogus assert in ensureInteger, bug 618849.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 13 Dec 2010 11:58:35 -0800
changeset 74659 261101d210dc025392f919e020c97905b61432e4
parent 74658 c305092a1b33689ef387f3d443e0849628022808
child 74660 8492590010d7d06670817d2c4cd6e5d9e62201da
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs618849
milestone2.0b8pre
[INFER] Fix bogus assert in ensureInteger, bug 618849.
js/src/jit-test/tests/basic/testArrayConcat.js
js/src/jit-test/tests/jaeger/bug618849.js
js/src/methodjit/FrameState-inl.h
js/src/methodjit/FrameState.h
--- a/js/src/jit-test/tests/basic/testArrayConcat.js
+++ b/js/src/jit-test/tests/basic/testArrayConcat.js
@@ -2,9 +2,9 @@
 var x = Array(4);
 x[0] = 1;
 x[1] = 2;
 x[2] = 3;
 var y = x.concat();
 assertEq(y[3], undefined);
 
 var z = x.concat(/abc/).pop();
-assertEq(x.source, "abc");
+assertEq(z.source, "abc");
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug618849.js
@@ -0,0 +1,11 @@
+
+function f() {
+    function g() {
+        var b = x;
+        var c = b++ & b;
+        return c;
+    }
+    var x = x--;
+    return g();
+}
+assertEq(f(), 0);
--- a/js/src/methodjit/FrameState-inl.h
+++ b/js/src/methodjit/FrameState-inl.h
@@ -816,17 +816,17 @@ FrameState::learnType(FrameEntry *fe, JS
     if (unsync)
         fe->type.unsync();
 }
 
 inline void
 FrameState::learnType(FrameEntry *fe, JSValueType type, RegisterID data)
 {
     forgetAllRegs(fe);
-    fe->setCopyOf(NULL);
+    fe->copy = NULL;
 
     fe->type.setConstant();
     fe->knownType = type;
 
     fe->data.setRegister(data);
     regstate(data).associate(fe, RematInfo::DATA);
 
     fe->data.unsync();
--- a/js/src/methodjit/FrameState.h
+++ b/js/src/methodjit/FrameState.h
@@ -642,17 +642,18 @@ class FrameState
 
     /*
      * Load all registers to update from either the current register state (if synced
      * is unset) or a synced state (if synced is set) to target.
      */
     void prepareForJump(jsbytecode *target, Assembler &masm, bool synced);
 
     /*
-     * Mark an existing slot with a type.  unsync indicates whether type is already synced.
+     * Mark an existing slot with a type. unsync indicates whether type is already synced.
+     * Do not call this on entries which might be copied.
      */
     inline void learnType(FrameEntry *fe, JSValueType type, bool unsync = true);
     inline void learnType(FrameEntry *fe, JSValueType type, RegisterID payload);
 
     /*
      * Forget a type, syncing in the process.
      */
     inline void forgetType(FrameEntry *fe);