[INFER] Don't try to inline known-unjittable scripts, use pushed type set instead of type tag when storing double result in JSOP_DIV,
bug 648230.
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug648230-1.js
@@ -0,0 +1,13 @@
+
+function f() {
+ -null;
+ -null;
+ -null;
+ -null;
+ -null;
+}
+{
+ function g() {};
+}
+f();
+x = Math.abs();
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug648230-2.js
@@ -0,0 +1,14 @@
+var i = 1;
+var j = 2;
+function f() {
+ if (false)
+ function g() {};
+ return i / j;
+}
+-null;
+-null;
+-null;
+-null;
+-null;
+f();
+
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -164,16 +164,18 @@ mjit::Compiler::compile()
// just need a pointer so the VM can quickly decide whether this
// method can be JIT'd or not. Global scripts cannot be IC'd, since
// they have no functions, so there is no danger.
*checkAddr = (*jit)->arityCheckEntry
? (*jit)->arityCheckEntry
: (*jit)->invokeEntry;
} else {
*checkAddr = JS_UNJITTABLE_SCRIPT;
+ if (outerScript->fun && !cx->markTypeFunctionUninlineable(outerScript->fun->getType()))
+ return Compile_Error;
}
return status;
}
CompileStatus
mjit::Compiler::pushActiveFrame(JSScript *script, uint32 argc)
{
--- a/js/src/methodjit/FastArithmetic.cpp
+++ b/js/src/methodjit/FastArithmetic.cpp
@@ -363,25 +363,34 @@ mjit::Compiler::jsop_binary_double(Frame
frame.freeReg(reg);
frame.freeReg(fpReg);
done.setJump(masm.jump());
isDouble.linkTo(masm.label(), &masm);
}
- if (type == JSVAL_TYPE_INT32) {
+ /*
+ * Inference needs to know about any operation on integers that produces a
+ * double result. Unless the pushed type set already contains the double
+ * type, we need to call a stub rather than push. Note that looking at
+ * the pushed type tag is not sufficient, as it will be UNKNOWN if
+ * we do not yet know the possible types of the division's operands.
+ */
+ types::TypeSet *resultTypes = pushedTypeSet(0);
+ if (resultTypes && !resultTypes->hasType(types::TYPE_DOUBLE)) {
/*
- * Integer conversion failed, but the result is expected to be an integer.
- * Call a stub and try harder to convert to int32, or failing that trigger
+ * Call a stub and try harder to convert to int32, failing that trigger
* recompilation of this script.
*/
stubcc.linkExit(masm.jump(), Uses(2));
- } else if (type != JSVAL_TYPE_DOUBLE) {
- masm.storeDouble(fpLeft, frame.addressOf(lhs));
+ } else {
+ JS_ASSERT(type != JSVAL_TYPE_INT32);
+ if (type != JSVAL_TYPE_DOUBLE)
+ masm.storeDouble(fpLeft, frame.addressOf(lhs));
}
if (done.isSet())
done.getJump().linkTo(masm.label(), &masm);
stubcc.leave();
OOL_STUBCALL(stub);
