IonMonkey: Null Increment error

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: nbp, Assigned: dvander)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

6 years ago
The test basic/testNullIncrement.js started to fail, after the implementation of Bug 691340.  The test can be simplified to test without waiting for Bug 691340 fix:


function f() {
    var n = null;
    return n++;
}

print(f());
assertEq(f(), 0);
Blocks: 677337
No longer blocks: 650180
The bug here is that jsop_localinc/jsop_arginc do not ToNumber() their inputs.
Assignee: general → dvander
Status: NEW → ASSIGNED
Created attachment 570349 [details] [diff] [review]
fix

The bug is that localinc/arginc weren't performing a ToNumber conversion. It was implicit in the type policy for Add, which isn't really correct since it has to happen on the local, not the stack.
Attachment #570349 - Flags: review?(cdleary)
Created attachment 570351 [details] [diff] [review]
fix

wrong patch
Attachment #570349 - Attachment is obsolete: true
Attachment #570349 - Flags: review?(cdleary)
Attachment #570351 - Flags: review?(cdleary)
Comment on attachment 570351 [details] [diff] [review]
fix

Review of attachment 570351 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/IonBuilder.cpp
@@ +1771,5 @@
> +    bool post = !!(js_CodeSpec[op].format & JOF_POST);
> +    TypeOracle::Binary types = oracle->binaryOp(script, pc);
> +
> +    // Grab the value at the local slot, and convert it to a number. Currently,
> +    // we use ToInt32 or ToNumber which are idempotent. This whole operation

Can we say, 'fallible, but idempotent'?
Attachment #570351 - Flags: review?(cdleary) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/70953dad5e78
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.