diff --git a/js/src/jit-test/tests/jaeger/bug639808.js b/js/src/jit-test/tests/jaeger/bug639808.js index 6aa6c470eeb..bf6b16c3d10 100644 --- a/js/src/jit-test/tests/jaeger/bug639808.js +++ b/js/src/jit-test/tests/jaeger/bug639808.js @@ -5,3 +5,12 @@ function f() { y - 1; } f(); + +function g(q) { + var x = 1.23; + var y = [].length; + x = ++y; + if (q) + assertEq(y + 5, 6); +} +g(1); diff --git a/js/src/methodjit/FrameState.cpp b/js/src/methodjit/FrameState.cpp index 0eb12019400..95caea6194b 100644 --- a/js/src/methodjit/FrameState.cpp +++ b/js/src/methodjit/FrameState.cpp @@ -1664,32 +1664,33 @@ FrameState::ensureDouble(FrameEntry *fe) return; } - if (fe->isCopy()) - fe = fe->copyOf(); - if (fe->isType(JSVAL_TYPE_DOUBLE)) return; - if (fe->isCopied()) { - /* Find and fixup the type for any copies of this entry. */ + FrameEntry *backing = fe; + if (fe->isCopy()) { + /* Forget this entry is a copy. We are converting this entry, not the backing. */ + backing = fe->copyOf(); + fe->clear(); + } else if (fe->isCopied()) { + /* Sync and forget any copies of this entry. */ for (uint32 i = fe->trackerIndex() + 1; i < tracker.nentries; i++) { FrameEntry *nfe = tracker[i]; if (nfe->isCopy() && nfe->copyOf() == fe) { - nfe->setType(JSVAL_TYPE_DOUBLE, NULL); - nfe->data.unsync(); - nfe->type.unsync(); + syncFe(nfe); + nfe->resetSynced(); } } } FPRegisterID fpreg = allocFPReg(); - if (fe->isType(JSVAL_TYPE_INT32)) { - RegisterID data = tempRegForData(fe); + if (backing->isType(JSVAL_TYPE_INT32)) { + RegisterID data = tempRegForData(backing); masm.convertInt32ToDouble(data, fpreg); } else { - syncFe(fe); - masm.moveInt32OrDouble(addressOf(fe), fpreg); + syncFe(backing); + masm.moveInt32OrDouble(addressOf(backing), fpreg); } forgetAllRegs(fe); @@ -1700,8 +1701,6 @@ FrameState::ensureDouble(FrameEntry *fe) fe->data.unsync(); fe->type.unsync(); - - return; } void