From 052373f8bbbbd12acce58101e09f16a0afc002ae Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Sun, 1 May 2011 17:38:05 -0700
Subject: [PATCH] [INFER] Assume double types for entries with empty type sets
 being merged into double phi nodes, bug 653249.

---
 js/src/jit-test/tests/jaeger/bug653249.js | 13 +++++++++++++
 js/src/methodjit/Compiler.cpp             | 20 +++++++++++++++-----
 js/src/methodjit/FrameState.cpp           |  2 ++
 3 files changed, 30 insertions(+), 5 deletions(-)
 create mode 100644 js/src/jit-test/tests/jaeger/bug653249.js

diff --git a/js/src/jit-test/tests/jaeger/bug653249.js b/js/src/jit-test/tests/jaeger/bug653249.js
new file mode 100644
index 00000000000..b85ddd743fc
--- /dev/null
+++ b/js/src/jit-test/tests/jaeger/bug653249.js
@@ -0,0 +1,13 @@
+
+function testUnaryImacros() {
+    function checkArg(x) {
+        o = {
+            valueOf: checkArg
+        }
+    }
+    var v = 0;
+    v += +toString;
+    for (var i = 0; i;) {
+        v += [].checkArg.checkArg;
+    }
+}(testUnaryImacros(), "valueOf passed, toString passed");
diff --git a/js/src/methodjit/Compiler.cpp b/js/src/methodjit/Compiler.cpp
index bda967f314e..f63ab735144 100644
--- a/js/src/methodjit/Compiler.cpp
+++ b/js/src/methodjit/Compiler.cpp
@@ -7129,14 +7129,24 @@ mjit::Compiler::fixDoubleTypes(jsbytecode *target)
                 continue;
             }
             if (newv->slot < analyze::TotalSlots(script)) {
+                types::TypeSet *targetTypes = analysis->getValueTypes(newv->value);
                 VarType &vt = a->varTypes[newv->slot];
-                if (vt.type == JSVAL_TYPE_INT32) {
-                    types::TypeSet *targetTypes = analysis->getValueTypes(newv->value);
-                    if (targetTypes->getKnownTypeTag(cx) == JSVAL_TYPE_DOUBLE &&
-                        fixDoubleSlot(newv->slot)) {
+                if (targetTypes->getKnownTypeTag(cx) == JSVAL_TYPE_DOUBLE &&
+                    fixDoubleSlot(newv->slot)) {
+                    FrameEntry *fe = frame.getOrTrack(newv->slot);
+                    if (vt.type == JSVAL_TYPE_INT32) {
                         fixedDoubleEntries.append(newv->slot);
-                        FrameEntry *fe = frame.getOrTrack(newv->slot);
                         frame.ensureDouble(fe);
+                    } else if (vt.type == JSVAL_TYPE_UNKNOWN) {
+                        /*
+                         * Unknown here but a double at the target. The type
+                         * set for the existing value must be empty, so this
+                         * code is doomed and we can just mark the value as
+                         * a double.
+                         */
+                        frame.ensureDouble(fe);
+                    } else {
+                        JS_ASSERT(vt.type == JSVAL_TYPE_DOUBLE);
                     }
                 }
             }
diff --git a/js/src/methodjit/FrameState.cpp b/js/src/methodjit/FrameState.cpp
index 6102fb0ff09..aee5cf40383 100644
--- a/js/src/methodjit/FrameState.cpp
+++ b/js/src/methodjit/FrameState.cpp
@@ -1354,10 +1354,12 @@ FrameState::assertValidRegisterState() const
         if (fe->type.inRegister()) {
             checkedFreeRegs.takeReg(fe->type.reg());
             JS_ASSERT(regstate(fe->type.reg()).fe() == fe);
+            JS_ASSERT(!fe->isType(JSVAL_TYPE_DOUBLE));
         }
         if (fe->data.inRegister()) {
             checkedFreeRegs.takeReg(fe->data.reg());
             JS_ASSERT(regstate(fe->data.reg()).fe() == fe);
+            JS_ASSERT(!fe->isType(JSVAL_TYPE_DOUBLE));
         }
         if (fe->data.inFPRegister()) {
             JS_ASSERT(fe->isType(JSVAL_TYPE_DOUBLE));