Closed Bug 782087 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:327

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][ion:p1:fx18])

Attachments

(1 file, 1 obsolete file)

with typo fixed
6.95 KB, patch
sstangl
: review+
Details | Diff | Splinter Review 
The following testcase asserts on ionmonkey revision f1764bf06b29 (run with --ion -n):


test();
function test() {
    var n = 1000000;
    var start = new Date();
    var mceil = Math.floor;
    for (i = 3; i<= n; i+=2) {}
    var end = mceil  ();
    var timetaken = end - start;
    timetaken = timetaken / 1000;
    return timetaken;
}
Whiteboard: [jsbugmon:update] → [jsbugmon:update][ion:p1:fx18]
Attached patch fix (obsolete) — Splinter Review 
The bug is that "double" may not be in the typeset for a call's return value, but we aggressively fold Math.floor() and friends to return a NaN. This patch just removes all this folding since it doesn't appear to occur in benchmarks anyway.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #651900 - Flags: review?(sstangl)
Attached patch with typo fixedSplinter Review 

        Attachment #651900 -
        Attachment is obsolete: true

        Attachment #651900 -
        Flags: review?(sstangl)

        Attachment #651903 -
        Flags: review?

    
    

    
  
Comment on attachment 651903 [details] [diff] [review]
with typo fixed

Review of attachment 651903 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/ion/MCallOptimize.cpp
@@ +426,5 @@
>      if (constructing)
>          return InliningStatus_NotInlined;
>  
> +    if (argc != 2)
> +        return InliningStatus_NotInlined;

This can be "< 2".

        Attachment #651903 -
        Flags: review? → review+

    
    

    
  
I kept != 2 to be strict about what we accept as optimizable.

https://hg.mozilla.org/projects/ionmonkey/rev/6a707a112b58
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

    
    

    
  
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug782087.js.
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: