Rejit when we are doing aggressive int type specialization and attempt to convert a float to an int on a loop backedge. (#6336)

zenparsing · web-flow · commit 65dc1ca7f389 · 2020-04-11T07:22:24.000+01:00
Fixes #6325 In the POC (which repros 1.11 but requires some flags to repro in master), jitting a recursive loop body creates a situation where the type specialization of a sym in the loop prepass does not match the value types that are determined inside of the loop, leading to a lossy conversion from float64 to int32 on the backedge. This change detects the attempted lossy conversion and rejits with aggressive int type specialization disabled.
diff --git a/lib/Backend/GlobOpt.cpp b/lib/Backend/GlobOpt.cpp
@@ -12167,7 +12167,17 @@ GlobOpt::ToTypeSpecUse(IR::Instr *instr, IR::Opnd *opnd, BasicBlock *block, Valu
             const FloatConstType floatValue = valueInfo->AsFloatConstant()->FloatValue();
             if(toType == TyInt32)
             {
-                Assert(lossy);
+                // In some loop scenarios, a sym can be specialized to int32 on loop entry
+                // during the prepass and then subsequentely specialized to float within
+                // the loop, leading to an attempted lossy conversion from float64 to int32
+                // on the backedge. For these cases, disable aggressive int type specialization
+                // and try again.
+                if (!lossy)
+                {
+                    AssertOrFailFast(DoAggressiveIntTypeSpec());
+                    throw Js::RejitException(RejitReason::AggressiveIntTypeSpecDisabled);
+                }
+
                 constOpnd =
                     IR::IntConstOpnd::New(
                         Js::JavascriptMath::ToInt32(floatValue),
diff --git a/test/Optimizer/bug_gh6325.js b/test/Optimizer/bug_gh6325.js
@@ -0,0 +1,37 @@
+//-------------------------------------------------------------------------------------------------------
+// Copyright (C) Microsoft Corporation and contributors. All rights reserved.
+// Licensed under the MIT license. See LICENSE.txt file in the project root for full license information.
+//-------------------------------------------------------------------------------------------------------
+var b = 0;
+
+function test0() {
+  var a = 100;
+
+  for (var i = 1; i < 6; ++i) {
+    a;
+    test0a();
+    for (var j = 0; j < 1; ++j) {
+      a = 0xffffffffff;
+      for (var k = 0; k < 1; ++k) {
+        i = a;
+        +i;
+      }
+    }
+    if (i == 0xffffffffff) {
+      print('PASSED');
+      throw new Error('exit');
+    }
+  }
+
+  function test0a() {
+    a;
+    b = b + 1;
+    if (b > 100) {
+      return;
+    }
+    return test0();
+  }
+}
+
+try { test0(); }
+catch {}
diff --git a/test/Optimizer/rlexe.xml b/test/Optimizer/rlexe.xml
@@ -1628,4 +1628,11 @@
       <compile-flags>-maxinterpretcount:1 -maxsimplejitruncount:1</compile-flags>
     </default>
   </test>
+  <test>
+    <default>
+      <files>bug_gh6325.js</files>
+      <compile-flags>-off:backend -forcejitloopbody</compile-flags>
+      <tags>exclude_nonative</tags>
+    </default>
+  </test>
 </regress-exe>
