Closed Bug 724517 Opened 12 years ago Closed 12 years ago

IonMonkey: Folding null/undefined in jsop_getelem_dense is not safe

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jandem, Assigned: jandem)

Details

Attachments

(1 file)

I modified ss-fannkuch to work around the missing JSOP_NOT support (bug 709240) and hit an assertion failure. While reducing this assert, I hit an (unrelated) inference failure.

The problem is that we can't fold null/undefined in jsop_getelem_dense, since the resulting SSA no longer mimics the bytecode (required by IsPhiObservable).
Attached patch Fix + testSplinter Review
Also has a trivial fix for an unrelated STRICTEQ/NE assert I had in my queue - I don't think it deserves its own bug.
Attachment #594681 - Flags: review?(dvander)
Comment on attachment 594681 [details] [diff] [review]
Fix + test

Okay, I think I understand this now: the way EliminateDeadPhis works requires that we consider the uses in the bytecode to be uses in the SSA as well. If we eliminate the LoadElement of |perm| we consider |perm| as dead.

This is tricky and I wouldn't be surprised if we end up deciding to overhaul EliminateDeadPhis later.
Attachment #594681 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/a1fc5b03be76
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.