Closed Bug 756247 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:353

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

VERIFIED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m --ion-eager):


function foo(i)  {
    var n = 0;
    for (var i = 0; i < (false  ); i++)
      n = a++;
    assertEq(n, 29);
}
var a = foo(10);
Reduced it a bit more:

function foo()  {
    var n = 0;
    while (false)
        n = +a;
    print(n); // bailout
}
foo();

The problem is that when we bailout, n is a double (0.0) instead of an integer. The inferred type of "+a" is value -> value, which we compile to MToDouble. Using MToDouble is fine for "value -> double" but for "value -> value" we should probably just call a stub.

Note that value -> int32 has the same problem (double value instead of int32). This testcase also triggers the assert:

function bar(x) {
    var y = +(x ? x : "foo");
    print(y);
}
bar(10);
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attached patch PatchSplinter Review
This follows JSOP_NEG and compiles +x as x * 1. Seems like it's the simplest fix and does not regress SS/V8/Kraken.
Attachment #625079 - Flags: review?(dvander)
Attachment #625079 - Flags: review?(dvander) → review+
https://hg.mozilla.org/projects/ionmonkey/rev/ceb5ab053f82
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756247.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.