Closed Bug 767665 Opened 12 years ago Closed 12 years ago

IonMonkey: Differential Testing: Getting TypeError vs no TypeError w/without ion

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: gkw, Assigned: sstangl)

References

Details

(Keywords: regression, testcase)

Attachments

(2 files, 1 obsolete file)

Attached file testcase (obsolete) —
The attached testcase shows a TypeError at the bottom using js opt shell on IonMonkey changeset 881c4b8e7404 with --no-jm:

/snip
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
TypeError: (void 0) is not a function

but doesn't when run without --no-jm:

/snip
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length
RangeError: invalid array length

mozilla-inbound changeset cb74a377095a does not seem to have this issue. All shells tested on 64-bit, and with --enable-more-deterministic.

This is at least a regression for IonMonkey.
Attached file clearer testcase
Attachment #636031 - Attachment is obsolete: true
The first bad revision is:
changeset:   https://hg.mozilla.org/projects/ionmonkey/rev/8a2010ae3d08
user:        Sean Stangl
date:        Tue Mar 27 12:20:22 2012 -0700
summary:     Bug 735400 - Optimize JSOP_FUNCALL. r=dvander
Kindly disregard the crazy levels of indentation. I'll fix that in a follow-up bug -- that whole file needs cleanup badly.
Attachment #636502 - Flags: review?(dvander)
Blocks: 768249
Comment on attachment 636502 [details] [diff] [review]
Inline NewArray only if it won't generate a RangeError.

Review of attachment 636502 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/CodeGenerator.cpp
@@ +989,5 @@
>      Register objReg = ToRegister(lir->output());
>      types::TypeObject *typeObj = lir->mir()->type();
>      uint32 count = lir->mir()->count();
>  
> +    JS_ASSERT((int32_t)count >= 0);

JS_ASSERT(count < JSObject::NELEMENTS_LIMIT)
Attachment #636502 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/02c16738f778
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Assignee: general → sstangl
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.