Skip to content

Commit 7de850a

Browse files
pleathpleath
committed
Similar issue to the missiung-undef-initialization case I fixed last week, this is the case where we have a dominating initialization that nevertheless doesn't write to the variable's register, but a later delay-captured reference does write to the register. Conservatively emitting undef-init now; delay capture needs to be revisited in the wake of the stable closures change.
1 parent 0b9f3cd commit 7de850a

File tree

3 files changed

+117
-1
lines changed

3 files changed

+117
-1
lines changed

lib/Runtime/ByteCode/ByteCodeEmitter.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1389,7 +1389,7 @@ void ByteCodeGenerator::DefineUserVars(FuncInfo *funcInfo)
13891389

13901390
// Undef-initialize the home location if it is a register (not closure-captured, or else capture
13911391
// is delayed) or a property of an object.
1392-
if ((!sym->GetHasInit() && (!sym->NeedsSlotAlloc(funcInfo) || sym->GetHasNonCommittedReference())) ||
1392+
if ((sym->GetLocation() != Js::Constants::NoRegister && (!sym->GetHasInit() || (sym->NeedsSlotAlloc(funcInfo) && sym->GetHasNonCommittedReference()))) ||
13931393
(funcInfo->bodyScope->GetIsObject() && !funcInfo->GetHasCachedScope()))
13941394
{
13951395
Js::RegSlot reg = sym->GetLocation();

test/Closures/delaycapture-loopbody2.js

Lines changed: 109 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,109 @@
1+
//-------------------------------------------------------------------------------------------------------
2+
// Copyright (C) Microsoft. All rights reserved.
3+
// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
4+
//-------------------------------------------------------------------------------------------------------
5+
6+
function test0() {
7+
var loopInvariant = false ? 7 : 12;
8+
var GiantPrintArray = [];
9+
function makeArrayLength() {
10+
}
11+
function leaf() {
12+
}
13+
var obj0 = {};
14+
var protoObj0 = {};
15+
var obj1 = {};
16+
var arrObj0 = {};
17+
var litObj0 = { prop1: 3.14159265358979 };
18+
var litObj1 = { prop0: 0 };
19+
var func0 = function () {
20+
};
21+
var func1 = function () {
22+
};
23+
var func2 = function () {
24+
for (; protoObj0.prop0; 2) {
25+
ary(851125506.1 !== 2 && 2 < arrObj0.prop2, func0(arguments[2 + 0]), ary.reverse(), typeof ary[((Object.prototype.prop2 !== Object.prototype.length || obj5.prop1 < Object.prototype.length) >= 0 ? Object.prototype.prop2 !== Object.prototype.length || obj5.prop1 < Object.prototype.length : 0) & 15] != 'undefined', ui8[loopInvariant + 1 & 255] * (false ? (Object.defineProperty(obj5, 'prop0', {
26+
get: function () {
27+
WScript.Echo();
28+
return 3;
29+
},
30+
configurable: true
31+
}), 4294967297 & 702469842) : 4294967297 & 702469842) + ary.unshift(typeof obj5.prop0 != 'number', -1556722774.9 + Object.prototype.prop2, !221, func0.call(arrObj0, -1556722774.9 + Object.prototype.prop2), Object.prototype.prop2 >>= 33, typeof obj0.prop2 != 'object', -8074665319890990000 && 1413529899.1, obj5.prop1 = obj5.prop0, function () {
32+
;
33+
} instanceof (typeof Number == 'function' ? Number : Object), Math.sin(Object.prototype.prop0), -8074665319890990000 && 1413529899.1), typeof protoObj0.length == 'object', arguments[((typeof Object.prototype.prop1-- == 'boolean') >= 0 ? typeof Object.prototype.prop1-- == 'boolean' : 0) & 15]);
34+
func0(uic8[1522725379.1]);
35+
}
36+
};
37+
var func3 = function () {
38+
};
39+
var func4 = function () {
40+
};
41+
obj0.method0 = func2;
42+
obj1.method0 = obj0.method0;
43+
var ary = Array(10);
44+
var i8 = new Int8Array(256);
45+
var i16 = new Int16Array();
46+
var i32 = new Int32Array();
47+
var ui8 = new Uint8Array();
48+
var ui16 = new Uint16Array();
49+
var ui32 = new Uint32Array();
50+
var f32 = new Float32Array();
51+
var f64 = new Float64Array();
52+
var uic8 = new Uint8ClampedArray();
53+
var IntArr0 = Array(9);
54+
var IntArr1 = Array(-1399162652, 173143797, -1810098018, 96552438, 65535, -14752727, 1269200816, 226, -229);
55+
var FloatArr0 = [];
56+
var VarArr0 = Array();
57+
var a = 0;
58+
var b = 851125506.1;
59+
177;
60+
243;
61+
var aliasOflitObj0 = litObj0;
62+
-137;
63+
makeArrayLength(8805654756604090000);
64+
-1178371243;
65+
190816894 * this;
66+
var uniqobj4 = [];
67+
do {
68+
if (__loopvar0) {
69+
}
70+
var __loopvar1 = loopInvariant;
71+
for (var _strvar0 in i8) {
72+
if (4) {
73+
}
74+
obj1.method0();
75+
var __loopvar2 = loopInvariant, __loopSecondaryVar2_0 = loopInvariant;
76+
for (; _strvar0 < 3077559403207580000; VarArr0) {
77+
if (-2) {
78+
break;
79+
}
80+
var v1 = shouldBailout;
81+
var v2 = true;
82+
function v3() {
83+
Math(_strvar0 * __loopvar2);
84+
({ prop1: FloatArr0 });
85+
}
86+
v3(5);
87+
var __loopvar3 = loopInvariant, __loopSecondaryVar3_0 = loopInvariant;
88+
var __loopSecondaryVar4_0 = loopInvariant, __loopSecondaryVar4_1 = loopInvariant;
89+
90+
var __loopvar5 = loopInvariant - 3;
91+
for (var _strvar0 in FloatArr0) {
92+
if (typeof _strvar0 === 'string' && _strvar0.indexOf('method') != -1) {
93+
continue;
94+
}
95+
__loopvar5++;
96+
if (__loopvar5 == loopInvariant + 1) {
97+
break;
98+
}
99+
FloatArr0[_strvar0] = _strvar0;
100+
}
101+
var id28 = test0.caller >>> uic8[120 & 255];
102+
}
103+
}
104+
} while (false);
105+
var __loopvar0 = loopInvariant, __loopSecondaryVar0_0 = loopInvariant, __loopSecondaryVar0_1 = loopInvariant;
106+
}
107+
test0();
108+
109+
WScript.Echo('pass');

test/Closures/rlexe.xml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,13 @@
7474
<tags>exclude_fre</tags>
7575
</default>
7676
</test>
77+
<test>
78+
<default>
79+
<files>delaycapture-loopbody2.js</files>
80+
<compile-flags>-lic:1 -bgjit- -InitializeInterpreterSlotsWithInvalidStackVar</compile-flags>
81+
<tags>exclude_fre</tags>
82+
</default>
83+
</test>
7784
<test>
7885
<default>
7986
<files>initcachedscope.js</files>

0 commit comments

Comments
 (0)