IonMonkey: Folding null/undefined in jsop_getelem_dense is not safe

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: jandem, Assigned: jandem)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
I modified ss-fannkuch to work around the missing JSOP_NOT support (bug 709240) and hit an assertion failure. While reducing this assert, I hit an (unrelated) inference failure.

The problem is that we can't fold null/undefined in jsop_getelem_dense, since the resulting SSA no longer mimics the bytecode (required by IsPhiObservable).
(Assignee)

Comment 1

5 years ago
Created attachment 594681 [details] [diff] [review]
Fix + test

Also has a trivial fix for an unrelated STRICTEQ/NE assert I had in my queue - I don't think it deserves its own bug.
Attachment #594681 - Flags: review?(dvander)
Comment on attachment 594681 [details] [diff] [review]
Fix + test

Okay, I think I understand this now: the way EliminateDeadPhis works requires that we consider the uses in the bytecode to be uses in the SSA as well. If we eliminate the LoadElement of |perm| we consider |perm| as dead.

This is tricky and I wouldn't be surprised if we end up deciding to overhaul EliminateDeadPhis later.
Attachment #594681 - Flags: review?(dvander) → review+
(Assignee)

Comment 3

5 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/a1fc5b03be76
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.