[INFER] Fix jsop_relational_double to sync rhs correctly if lhs is not a number, bug 657120. r=bhackett
authorJan de Mooij <jandemooij@gmail.com>
Tue, 17 May 2011 14:09:08 +0200
changeset 75069 807a6cc25c34abd63a657a0394cc6e876b087378
parent 75068 8aa5d9272628034ab1132ace847af61a9596c7e4
child 75070 97f9e3274bd5a1e30641bcd93bc664aef4abc749
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
reviewersbhackett
bugs657120
milestone6.0a1
[INFER] Fix jsop_relational_double to sync rhs correctly if lhs is not a number, bug 657120. r=bhackett
js/src/jit-test/tests/jaeger/bug657120.js
js/src/methodjit/FastArithmetic.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug657120.js
@@ -0,0 +1,6 @@
+function f() {
+    var x = Object(2);
+    var y = 3.14;
+    assertEq(true && x < y, true);
+}
+f();
--- a/js/src/methodjit/FastArithmetic.cpp
+++ b/js/src/methodjit/FastArithmetic.cpp
@@ -1418,30 +1418,38 @@ mjit::Compiler::jsop_relational_double(J
     FrameEntry *lhs = frame.peek(-2);
 
     JS_ASSERT_IF(!target, fused != JSOP_IFEQ);
 
     FPRegisterID fpLeft, fpRight;
     bool allocateLeft, allocateRight;
 
     MaybeJump lhsNotNumber = loadDouble(lhs, &fpLeft, &allocateLeft);
+    if (lhsNotNumber.isSet()) {
+        if (target)
+            stubcc.linkExitForBranch(lhsNotNumber.get());
+        else
+            stubcc.linkExit(lhsNotNumber.get(), Uses(2));
+    }
     if (!allocateLeft)
         frame.pinReg(fpLeft);
 
     MaybeJump rhsNotNumber = loadDouble(rhs, &fpRight, &allocateRight);
+    if (rhsNotNumber.isSet()) {
+        if (target)
+            stubcc.linkExitForBranch(rhsNotNumber.get());
+        else
+            stubcc.linkExit(rhsNotNumber.get(), Uses(2));
+    }
     if (!allocateLeft)
         frame.unpinReg(fpLeft);
 
     Assembler::DoubleCondition dblCond = DoubleCondForOp(op, fused);
 
     if (target) {
-        if (lhsNotNumber.isSet())
-            stubcc.linkExitForBranch(lhsNotNumber.get());
-        if (rhsNotNumber.isSet())
-            stubcc.linkExitForBranch(rhsNotNumber.get());
         stubcc.leave();
         OOL_STUBCALL(stub, REJOIN_BRANCH);
 
         frame.syncAndKillEverything();
         Jump j = masm.branchDouble(dblCond, fpLeft, fpRight);
 
         if (allocateLeft)
             frame.freeReg(fpLeft);
@@ -1458,20 +1466,16 @@ mjit::Compiler::jsop_relational_double(J
 
         /*
          * NB: jumpAndTrace emits to the OOL path, so make sure not to use it
          * in the middle of an in-progress slow path.
          */
         if (!jumpAndTrace(j, target, &sj))
             return false;
     } else {
-        if (lhsNotNumber.isSet())
-            stubcc.linkExit(lhsNotNumber.get(), Uses(2));
-        if (rhsNotNumber.isSet())
-            stubcc.linkExit(rhsNotNumber.get(), Uses(2));
         stubcc.leave();
         OOL_STUBCALL(stub, REJOIN_FALLTHROUGH);
 
         frame.popn(2);
 
         RegisterID reg = frame.allocReg();
         Jump j = masm.branchDouble(dblCond, fpLeft, fpRight);
         masm.move(Imm32(0), reg);