Closed Bug 581936 Opened 14 years ago Closed 14 years ago

JM: Addition operator incorrectly coerces strings to integers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: adrake, Unassigned)

References

Details

The following test case fails its assertion on every permutation of opt/debug 32/64 ic/noic (all with actual value 0):

function returnZero() { return 0; } 
function test() {
  var a = "a";
  var b = "b";
  if (returnZero()) {
    return a + b;
  } else {
    return b + a;
  }
}
assertEq(test(), "ba");

This bug was introduced by changeset http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/51ed7672df50 , [JAEGER] Simplify double arithmetic paths.
It looks like a syncing problem.

When we go into the addition, the type registers are loaded -- the type of lhs and rhs are both identified as JSVAL_TAG_STRING, and the slow path is taken.

In the slow path, the rval is JSVAL_TAG_NULL, and the lval is JSVAL_TAG_INT32 with a payload of 0x0.
Great test-case, thanks! The bug is that when you construct your own OOL paths, syncExit assumes you called linkExit, so it can't be used. We were jumping right over the spill code.

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/c31210b66d0c
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.