782087 - IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:327

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on ionmonkey revision f1764bf06b29 (run with --ion -n):


test();
function test() {
    var n = 1000000;
    var start = new Date();
    var mceil = Math.floor;
    for (i = 3; i<= n; i+=2) {}
    var end = mceil  ();
    var timetaken = end - start;
    timetaken = timetaken / 1000;
    return timetaken;
}

Comment 1

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: fix

The bug is that "double" may not be in the typeset for a call's return value, but we aggressively fold Math.floor() and friends to return a NaN. This patch just removes all this folding since it doesn't appear to occur in benchmarks anyway.

Comment 2

[David Anderson [:dvander] - inactive, e-mail if emergency]

Attachment: with typo fixed

Comment 3

[Sean Stangl [:sstangl]]

Comment on attachment 651903 [details] [diff] [review]
with typo fixed

Review of attachment 651903 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/MCallOptimize.cpp
@@ +426,5 @@
>      if (constructing)
>          return InliningStatus_NotInlined;
>  
> +    if (argc != 2)
> +        return InliningStatus_NotInlined;

This can be "< 2".

Comment 4

[David Anderson [:dvander] - inactive, e-mail if emergency]

I kept != 2 to be strict about what we accept as optimizable.

https://hg.mozilla.org/projects/ionmonkey/rev/6a707a112b58

Comment 5

[Christian Holler (:decoder)]

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug782087.js.