610618 - JM produces incorrect result for NaN, prefix increment

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jan de Mooij [:jandem]]

This test case:
---
function a1() {
    var a8 = NaN;
    var a9 = ++a8;
    var a10 = ++a8;
    print(a8);
    print(a9);
    print(a10);
}
a1();
---
Gives the following output:

JM : NaN, undefined, NaN
TM/V8 : NaN, NaN, NaN

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Great test case.

Our implementation of localinc is a huge hack that tries to work around some early FrameState problems. Everything goes wrong at "a10 = ++a8".

 1. a8 is backed by [t=EDI, d=EDX], a9 is unsynced, backed by a8.
 2. Guard: EDI is an int32 ----------> slow path
 3. Copy EDX -> ESI
 4. Add 1 to ESI
 5. a8 is "uncopied", a9 becomes backed by [t=mem, d=EDX], and is unsynced.
 6. a8 becomes backed by [t=int32, d=ESI]
 7. <-------- slow path rejoins here

The bug is that when the slow path rejoins, it sees that a9 should be reloaded into ESI. But that's not correct. a9 was never synced, so it reloads its old value (in this case, undefined).

Comment 3

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

No noticeable perf loss on sunspider or v8. The generated code isn't as efficient, but this is something we should fix in ADD/SUB instead as we aim to remove op fusing.

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/tracemonkey/rev/b3064e25be90

Comment 5

[Robert Sayre]

http://hg.mozilla.org/mozilla-central/rev/b3064e25be90