Closed Bug 652590 Opened 13 years ago Closed 13 years ago

TI+JM: incorrect result with JSOP_OR, double

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

--
function f() {
    var x = undefined ? 1 : 4294967295;
    print(false || x);
}
f();
--
$ ./js test.js
4294967295

$ ./js -n -m -a test.js
-2147483648

Revision 8f0c5e12eba9, 32-bit OS X. This seems to be a recent regression.
When fixing double types before branching, we did not necessarily know the variable was previously an integer and could convert existing doubles, then get 0x80000000 when trying to convert them back to integers after the branch.  We should only be converting entries that are definitely integers before branching, so this fix ensures that variables inferred as doubles are always maintained as doubles by the FrameState, including within basic blocks (we were already normally doing this, but areas where we lose precision like the stack values transmitted by the '?' operator needed to be accounted for).

http://hg.mozilla.org/projects/jaegermonkey/rev/89d2095c7a87
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.