The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m --ion-eager): function foo(i) { var n = 0; for (var i = 0; i < (false ); i++) n = a++; assertEq(n, 29); } var a = foo(10);

Reduced it a bit more: function foo() { var n = 0; while (false) n = +a; print(n); // bailout } foo(); The problem is that when we bailout, n is a double (0.0) instead of an integer. The inferred type of "+a" is value -> value, which we compile to MToDouble. Using MToDouble is fine for "value -> double" but for "value -> value" we should probably just call a stub. Note that value -> int32 has the same problem (double value instead of int32). This testcase also triggers the assert: function bar(x) { var y = +(x ? x : "foo"); print(y); } bar(10);

This follows JSOP_NEG and compiles +x as x * 1. Seems like it's the simplest fix and does not regress SS/V8/Kraken.

JSBugMon: This bug has been automatically verified fixed.

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756247.js.