774644 - IonMonkey: Differential Testing: Missing ReferenceError with ion.

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase shows different behavior with options --ion -n -m --ion-eager vs. --no-ion on ionmonkey revision c4c50dc6317c:


function YearFromTime() {}
addTestCase();
function addTestCase() {
  var start = -62126352000000;
  YearFromTime();
  var stop = -62094729600000;
  for (var d = start; d < stop; d >>= 86400000)
    new TestCase();
}


$ debug64/js --ion -n -m --ion-eager test.js
<no output>

$ debug64/js --no-ion test.js
test.js:8: ReferenceError: TestCase is not defined

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

The bug is that the very end of the loop has an INT32 type for |d|, but the loop header has |double|. But the OSR type deduction algorithm stops just short of the loop header, so we accidentally unbox the double as an integer.

Comment 3

[Jan de Mooij [:jandem]]

Comment on attachment 643189 [details] [diff] [review]
fix

Review of attachment 643189 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

http://hg.mozilla.org/projects/ionmonkey/rev/a21e8bf3531f

Comment 5

[David Anderson [:dvander] - inactive, e-mail if emergency]

Backed out due to orange: https://hg.mozilla.org/projects/ionmonkey/rev/db83474903a5

Comment 6

[Jan de Mooij [:jandem]]

Here's another testcase:

function f() {
    var x = x * 23;
    while (x)
        x = 2;
    return x;
}
print(f());

Prints 0 with --ion-eager instead of NaN. We enter via OSR and assume x is int32, but it may also be a double.

Comment 7

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attempting a relanding since I can't reproduce shell failures locally:

https://hg.mozilla.org/projects/ionmonkey/rev/547ffa1e37eb