[INFER] Fix overly imprecise types on localinc/arginc, bug 608750.
authorBrian Hackett <bhackett1024@gmail.com>
Mon, 29 Nov 2010 11:55:10 -0800
changeset 74627 30ffdc01adf2fb3be916dd0b050593798ef65578
parent 74626 e18996c2a36fa23ff2b3e4f27c2d04a55beec622
child 74628 6a3dfe79bfa6ad124fb4992f2bc431a635c20d2a
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs608750
milestone2.0b8pre
[INFER] Fix overly imprecise types on localinc/arginc, bug 608750.
js/src/jit-test/tests/jaeger/recompile/incdec.js
js/src/methodjit/FastOps.cpp
--- a/js/src/jit-test/tests/jaeger/recompile/incdec.js
+++ b/js/src/jit-test/tests/jaeger/recompile/incdec.js
@@ -5,24 +5,45 @@ function local()
 {
   var j = 0x7ffffff0;
   for (var i = 0; i < 100; i++)
     j++;
   assertEq(j, 2147483732);
 }
 local();
 
+function olocal()
+{
+  var j = 0x7ffffff0;
+  for (var i = 0; i < 100; i++) {
+    if (j++ == 5000)
+      break;
+  }
+  assertEq(j, 2147483732);
+}
+olocal();
+
 function arg(j)
 {
   for (var i = 0; i < 100; i++)
     j++;
   assertEq(j, 2147483732);
 }
 arg(0x7ffffff0);
 
+function oarg(j)
+{
+  for (var i = 0; i < 100; i++) {
+    if (j++ == 5000)
+      break;
+  }
+  assertEq(j, 2147483732);
+}
+oarg(0x7ffffff0);
+
 var g = 0x7ffffff0;
 function glob()
 {
   for (var i = 0; i < 100; i++)
     g++;
   assertEq(g, 2147483732);
 }
 glob();
--- a/js/src/methodjit/FastOps.cpp
+++ b/js/src/methodjit/FastOps.cpp
@@ -974,22 +974,22 @@ mjit::Compiler::jsop_localinc(JSOp op, u
             frame.dup();
             /* N N */
         }
 
         frame.push(Int32Value(1));
         /* N? N 1 */
 
         if (amt == 1)
-            jsop_binary(JSOP_ADD, stubs::Add, JSVAL_TYPE_UNKNOWN);
+            jsop_binary(JSOP_ADD, stubs::Add, type);
         else
-            jsop_binary(JSOP_SUB, stubs::Sub, JSVAL_TYPE_UNKNOWN);
+            jsop_binary(JSOP_SUB, stubs::Sub, type);
         /* N? N+1 */
 
-        frame.storeLocal(slot, post || popped);
+        frame.storeLocal(slot, post || popped, type);
         /* N? N+1 */
 
         /* Make a stub call too in case we are recompiling from an overflowing localinc. */
         if (recompiling) {
             stubcc.masm.move(Imm32(slot), Registers::ArgReg1);
             OOL_STUBCALL(stub);
         }
 
@@ -1035,64 +1035,66 @@ mjit::Compiler::jsop_localinc(JSOp op, u
         frame.pop();
 
     stubcc.rejoin(Changes(0));
 }
 
 void
 mjit::Compiler::jsop_arginc(JSOp op, uint32 slot, bool popped)
 {
+    JSValueType type = knownArgumentType(slot);
+
     if (popped || (op == JSOP_INCARG || op == JSOP_DECARG)) {
         int amt = (op == JSOP_ARGINC || op == JSOP_INCARG) ? -1 : 1;
 
         // Before: 
         // After:  V
-        frame.pushArg(slot, JSVAL_TYPE_UNKNOWN);
+        frame.pushArg(slot, type);
 
         // Before: V
         // After:  V 1
         frame.push(Int32Value(amt));
 
         // Note, SUB will perform integer conversion for us.
         // Before: V 1
         // After:  N+1
-        jsop_binary(JSOP_SUB, stubs::Sub, JSVAL_TYPE_UNKNOWN);
+        jsop_binary(JSOP_SUB, stubs::Sub, type);
 
         // Before: N+1
         // After:  N+1
-        frame.storeArg(slot, popped);
+        frame.storeArg(slot, popped, type);
 
         if (popped)
             frame.pop();
     } else {
         int amt = (op == JSOP_ARGINC || op == JSOP_INCARG) ? 1 : -1;
 
         // Before:
         // After: V
-        frame.pushArg(slot, JSVAL_TYPE_UNKNOWN);
+        frame.pushArg(slot, type);
 
         // Before: V
         // After:  N
         jsop_pos();
 
         // Before: N
         // After:  N N
         frame.dup();
 
         // Before: N N
         // After:  N N 1
         frame.push(Int32Value(amt));
 
         // Before: N N 1
         // After:  N N+1
-        jsop_binary(JSOP_ADD, stubs::Add, JSVAL_TYPE_UNKNOWN);
+        jsop_binary(JSOP_ADD, stubs::Add, type);
 
         // Before: N N+1
         // After:  N N+1
-        frame.storeArg(slot, true);
+        frame.storeArg(slot, true, type);
 
         // Before: N N+1
         // After:  N
         frame.pop();
     }
 }
 
 static inline bool