Closed Bug 581936 Opened 15 years ago Closed 15 years ago

JM: Addition operator incorrectly coerces strings to integers

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: adrake, Unassigned)

References

Details

The following test case fails its assertion on every permutation of opt/debug 32/64 ic/noic (all with actual value 0): function returnZero() { return 0; } function test() { var a = "a"; var b = "b"; if (returnZero()) { return a + b; } else { return b + a; } } assertEq(test(), "ba"); This bug was introduced by changeset http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/51ed7672df50 , [JAEGER] Simplify double arithmetic paths.
It looks like a syncing problem. When we go into the addition, the type registers are loaded -- the type of lhs and rhs are both identified as JSVAL_TAG_STRING, and the slow path is taken. In the slow path, the rval is JSVAL_TAG_NULL, and the lval is JSVAL_TAG_INT32 with a payload of 0x0.
Great test-case, thanks! The bug is that when you construct your own OOL paths, syncExit assumes you called linkExit, so it can't be used. We were jumping right over the spill code. http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/c31210b66d0c
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.