Closed Bug 767665 Opened 12 years ago Closed 12 years ago

IonMonkey: Differential Testing: Getting TypeError vs no TypeError w/without ion

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gkw, Assigned: sstangl)

References

Details

(Keywords: regression, testcase)

Attachments

(2 files, 1 obsolete file)

clearer testcase
(deleted), text/plain
Details
Inline NewArray only if it won't generate a RangeError.
(deleted), patch
dvander
: review+
Details | Diff | Splinter Review
Attached file testcase (obsolete) (deleted) —
The attached testcase shows a TypeError at the bottom using js opt shell on IonMonkey changeset 881c4b8e7404 with --no-jm: /snip RangeError: invalid array length RangeError: invalid array length RangeError: invalid array length RangeError: invalid array length RangeError: invalid array length TypeError: (void 0) is not a function but doesn't when run without --no-jm: /snip RangeError: invalid array length RangeError: invalid array length RangeError: invalid array length RangeError: invalid array length RangeError: invalid array length RangeError: invalid array length mozilla-inbound changeset cb74a377095a does not seem to have this issue. All shells tested on 64-bit, and with --enable-more-deterministic. This is at least a regression for IonMonkey.
Attached file clearer testcase (deleted) —
Attachment #636031 - Attachment is obsolete: true
The first bad revision is: changeset: https://hg.mozilla.org/projects/ionmonkey/rev/8a2010ae3d08 user: Sean Stangl date: Tue Mar 27 12:20:22 2012 -0700 summary: Bug 735400 - Optimize JSOP_FUNCALL. r=dvander
Kindly disregard the crazy levels of indentation. I'll fix that in a follow-up bug -- that whole file needs cleanup badly.
Attachment #636502 - Flags: review?(dvander)
Blocks: 768249
Comment on attachment 636502 [details] [diff] [review] Inline NewArray only if it won't generate a RangeError. Review of attachment 636502 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/CodeGenerator.cpp @@ +989,5 @@ > Register objReg = ToRegister(lir->output()); > types::TypeObject *typeObj = lir->mir()->type(); > uint32 count = lir->mir()->count(); > > + JS_ASSERT((int32_t)count >= 0); JS_ASSERT(count < JSObject::NELEMENTS_LIMIT)
Attachment #636502 - Flags: review?(dvander) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/02c16738f778
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Assignee: general → sstangl
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: