Closed Bug 648567 Opened 14 years ago Closed 14 years ago

TI+JM: incorrect result with array testcase

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

Attachments

(1 file)

Testcase
220 bytes, application/x-javascript
Details
Attached file Testcase
$ ./js -a -n -m test.js test.js:8: Error: Assertion failed: got 1e-323, expected 2 The test does not fail if the first element in the array is >= 0, it will use JSOP_OBJECT instead of JSOP_INITARRAY.
When inlining a call, we don't write types for the inlined call's local variables when they are known statically. For uninlined calls, we do make such writes (we probably shouldn't be doing this, just remember known types on the JITScript and fill in before recompiling). When expanding inline frames, these unsynced type tags always need to be written. The reason this works if the initializer is a JSOP_OBJECT is that we use the default, unknown type object for singleton arrays with heterogenous element type, so did not assume anything at all about the array or its contents and didn't incur the recompilations triggering this bug. http://hg.mozilla.org/projects/jaegermonkey/rev/ef890e014ce1
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: