453049 - TM: "Assertion failure: (*m != JSVAL_INT) || isInt32(*vp)" with negative zero as property

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

js -j     
js> var z = 0; for (let j = 0; j < 5; ++j) { ({p: (-z)}); }

Assertion failure: (*m != JSVAL_INT) || isInt32(*vp), at jstracer.cpp:1398

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Two problems here.

First is that we're not checking if a 0 is turning into a double in JSOP_NEG.  Second is that we're generating incorrect code in cases where we don't propagate constants.  I think we might have to guard JSOP_NEG on not being 0 for int-specialized loops, as the NEG instruction does not set the overflow flag on 0.

Will wait for a comment from another TM person before I patch this though.

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fixes code generation and accidental integer promotion

I removed JSOP_NEG's call to unary() and FuncFilter's entry for LIR_neg so I could use the value on the stack to check the promotion logic.  Not sure if that was the right idea.

Comment 3

[David Anderson [:dvander] - inactive, e-mail if emergency]

Pushed fix as changeset b0e54985bcda.

Comment 4

[Bob Clary [:bc] (inactive)]

/cvsroot/mozilla/js/tests/js1_7/regress/regress-453049.js,v  <--  regress-453049.js
initial revision: 1.1

m-c: changeset:   19333:7d8fb914781a