[INFER] Don't allow doubles to be copies of synced entries, bug 617624.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 08 Dec 2010 13:11:49 -0800
changeset 74651 fcc727676be6fce8c1fdf54818a728c7a693b538
parent 74650 9256ed2447649d9ab0b74d5c85c11a0e62483dc2
child 74652 c247104a1499c8d980a1b8bbf2cf682c25d34df5
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs617624
milestone2.0b8pre
[INFER] Don't allow doubles to be copies of synced entries, bug 617624.
js/src/jit-test/tests/jaeger/bug617624.js
js/src/methodjit/FrameState.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug617624.js
@@ -0,0 +1,7 @@
+
+function f() {
+    var x;
+    var a = x;
+    Boolean(a = Number(12.34));
+}
+f();
--- a/js/src/methodjit/FrameState.cpp
+++ b/js/src/methodjit/FrameState.cpp
@@ -2077,20 +2077,21 @@ FrameState::storeTop(FrameEntry *target,
         if (type == JSVAL_TYPE_UNKNOWN) {
             masm.storeDouble(fpreg, addressOf(target));
             target->resetSynced();
 
             /* We're about to invalidate the backing, so forget the FP register. */
             forgetReg(fpreg);
         } else {
             JS_ASSERT(type == JSVAL_TYPE_DOUBLE);
-            target->setType(JSVAL_TYPE_DOUBLE);
             target->data.setFPRegister(fpreg);
             regstate(fpreg).reassociate(target);
         }
+
+        target->setType(JSVAL_TYPE_DOUBLE);
     } else {
         /*
          * Move the backing store down - we spill registers here, but we could be
          * smarter and re-use the type reg.
          */
         RegisterID reg = tempRegForData(backing);
         target->data.setRegister(reg);
         regstate(reg).reassociate(target);
@@ -2122,18 +2123,17 @@ FrameState::storeTop(FrameEntry *target,
         } else {
             /*
              * The backing should normally already be the type we are storing.  However,
              * we do not always keep track of the type in fused opcodes like GETTHISPROP.
              */
             JS_ASSERT_IF(backing->isTypeKnown(), backing->isType(type));
             if (!backing->isTypeKnown())
                 learnType(backing, type);
-            target->type.setConstant();
-            target->knownType = type;
+            target->setType(type);
         }
     }
 
     if (!backing->isTypeKnown())
         backing->type.invalidate();
     backing->data.invalidate();
     backing->setCopyOf(target);