Closed Bug 724517 Opened 13 years ago Closed 13 years ago

IonMonkey: Folding null/undefined in jsop_getelem_dense is not safe

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Assigned: jandem)

Details

Attachments

(1 file)

Fix + test
2.22 KB, patch
dvander
: review+
Details | Diff | Splinter Review
I modified ss-fannkuch to work around the missing JSOP_NOT support (bug 709240) and hit an assertion failure. While reducing this assert, I hit an (unrelated) inference failure. The problem is that we can't fold null/undefined in jsop_getelem_dense, since the resulting SSA no longer mimics the bytecode (required by IsPhiObservable).
Attached patch Fix + testSplinter Review
Also has a trivial fix for an unrelated STRICTEQ/NE assert I had in my queue - I don't think it deserves its own bug.
Attachment #594681 - Flags: review?(dvander)
Comment on attachment 594681 [details] [diff] [review] Fix + test Okay, I think I understand this now: the way EliminateDeadPhis works requires that we consider the uses in the bytecode to be uses in the SSA as well. If we eliminate the LoadElement of |perm| we consider |perm| as dead. This is tricky and I wouldn't be surprised if we end up deciding to overhaul EliminateDeadPhis later.
Attachment #594681 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/a1fc5b03be76
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: