Closed Bug 453049 Opened 17 years ago Closed 17 years ago

TM: "Assertion failure: (*m != JSVAL_INT) || isInt32(*vp)" with negative zero as property

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Assigned: dvander)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

fixes code generation and accidental integer promotion
2.60 KB, patch
gal
: review+
Details | Diff | Splinter Review
js -j js> var z = 0; for (let j = 0; j < 5; ++j) { ({p: (-z)}); } Assertion failure: (*m != JSVAL_INT) || isInt32(*vp), at jstracer.cpp:1398
Two problems here. First is that we're not checking if a 0 is turning into a double in JSOP_NEG. Second is that we're generating incorrect code in cases where we don't propagate constants. I think we might have to guard JSOP_NEG on not being 0 for int-specialized loops, as the NEG instruction does not set the overflow flag on 0. Will wait for a comment from another TM person before I patch this though.
I removed JSOP_NEG's call to unary() and FuncFilter's entry for LIR_neg so I could use the value on the stack to check the promotion logic. Not sure if that was the right idea.
Attachment #336776 - Flags: review?(gal)
Pushed fix as changeset b0e54985bcda.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Attachment #336776 - Flags: review?(gal) → review+
Summary: "Assertion failure: (*m != JSVAL_INT) || isInt32(*vp)" with negative zero as property → TM: "Assertion failure: (*m != JSVAL_INT) || isInt32(*vp)" with negative zero as property
/cvsroot/mozilla/js/tests/js1_7/regress/regress-453049.js,v <-- regress-453049.js initial revision: 1.1 m-c: changeset: 19333:7d8fb914781a
Flags: in-testsuite+
Flags: in-litmus-
Assignee: general → danderson
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: