Last Comment Bug 724517 - IonMonkey: Folding null/undefined in jsop_getelem_dense is not safe
: IonMonkey: Folding null/undefined in jsop_getelem_dense is not safe
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
-- normal (vote)
: ---
Assigned To: Jan de Mooij [:jandem]
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2012-02-06 05:00 PST by Jan de Mooij [:jandem]
Modified: 2012-02-06 13:08 PST (History)
1 user (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Fix + test (2.22 KB, patch)
2012-02-06 05:07 PST, Jan de Mooij [:jandem]
dvander: review+
Details | Diff | Splinter Review

Description User image Jan de Mooij [:jandem] 2012-02-06 05:00:34 PST
I modified ss-fannkuch to work around the missing JSOP_NOT support (bug 709240) and hit an assertion failure. While reducing this assert, I hit an (unrelated) inference failure.

The problem is that we can't fold null/undefined in jsop_getelem_dense, since the resulting SSA no longer mimics the bytecode (required by IsPhiObservable).
Comment 1 User image Jan de Mooij [:jandem] 2012-02-06 05:07:54 PST
Created attachment 594681 [details] [diff] [review]
Fix + test

Also has a trivial fix for an unrelated STRICTEQ/NE assert I had in my queue - I don't think it deserves its own bug.
Comment 2 User image David Anderson [:dvander] 2012-02-06 12:56:24 PST
Comment on attachment 594681 [details] [diff] [review]
Fix + test

Okay, I think I understand this now: the way EliminateDeadPhis works requires that we consider the uses in the bytecode to be uses in the SSA as well. If we eliminate the LoadElement of |perm| we consider |perm| as dead.

This is tricky and I wouldn't be surprised if we end up deciding to overhaul EliminateDeadPhis later.
Comment 3 User image Jan de Mooij [:jandem] 2012-02-06 13:08:29 PST

Note You need to log in before you can comment on or make changes to this bug.