IonMonkey: Differential Testing: Getting TypeError vs no TypeError w/without ion

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: sstangl)

Tracking

(Blocks: 2 bugs, {regression, testcase})

Other Branch
x86
Windows 7
regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 636031 [details]
testcase

The attached testcase shows a TypeError at the bottom using js opt shell on IonMonkey changeset 881c4b8e7404 with --no-jm:

/snip
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
TypeError: (void 0) is not a function

but doesn't when run without --no-jm:

/snip
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length

mozilla-inbound changeset cb74a377095a does not seem to have this issue. All shells tested on 64-bit, and with --enable-more-deterministic.

This is at least a regression for IonMonkey.

Comment 1

5 years ago
Created attachment 636067 [details]
clearer testcase
Attachment #636031 - Attachment is obsolete: true

Comment 2

5 years ago
The first bad revision is:
changeset:   https://hg.mozilla.org/projects/ionmonkey/rev/8a2010ae3d08
user:        Sean Stangl
date:        Tue Mar 27 12:20:22 2012 -0700
summary:     Bug 735400 - Optimize JSOP_FUNCALL. r=dvander
(Assignee)

Comment 3

5 years ago
Created attachment 636502 [details] [diff] [review]
Inline NewArray only if it won't generate a RangeError.

Kindly disregard the crazy levels of indentation. I'll fix that in a follow-up bug -- that whole file needs cleanup badly.
Attachment #636502 - Flags: review?(dvander)
(Assignee)

Updated

5 years ago
Blocks: 768249
Comment on attachment 636502 [details] [diff] [review]
Inline NewArray only if it won't generate a RangeError.

Review of attachment 636502 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/CodeGenerator.cpp
@@ +989,5 @@
>      Register objReg = ToRegister(lir->output());
>      types::TypeObject *typeObj = lir->mir()->type();
>      uint32 count = lir->mir()->count();
>  
> +    JS_ASSERT((int32_t)count >= 0);

JS_ASSERT(count < JSObject::NELEMENTS_LIMIT)
Attachment #636502 - Flags: review?(dvander) → review+
(Assignee)

Comment 5

5 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/02c16738f778
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Updated

5 years ago
Flags: in-testsuite+
(Reporter)

Updated

5 years ago
Assignee: general → sstangl
(Reporter)

Comment 6

4 years ago
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.