Bug 1195588: IonMonkey - Actually convert number to double during recovering ToDouble, r=nbp

@@ -1093,20 +1097,28 @@ MToDouble::writeRecoverData(CompactBuffe
 }

 RToDouble::RToDouble(CompactBufferReader& reader)
 { }

 bool
 RToDouble::recover(JSContext* cx, SnapshotIterator& iter) const
 {
-    Value v = iter.read();
+    RootedValue v(cx, iter.read());
+    RootedValue result(cx);

     MOZ_ASSERT(!v.isObject());
-    iter.storeInstructionResult(v);
+    MOZ_ASSERT(!v.isSymbol());
+
+    double dbl;
+    if (!ToNumber(cx, v, &dbl))
+        return false;
+
+    result.setDouble(dbl);
+    iter.storeInstructionResult(result);
     return true;
 }

 bool
 MToFloat32::writeRecoverData(CompactBufferWriter& writer) const
 {
     MOZ_ASSERT(canRecoverOnBailout());
     writer.writeUnsigned(uint32_t(RInstruction::Recover_ToFloat32));

js/src/jit-test/tests/ion/bug1195588.js

@@ -0,0 +1,15 @@
+function m(f) {
+    for (var k = 0; k < 2; ++k) {
+        try {
+            f()
+        } catch (e) {}
+    }
+}
+function g(i) {
+    x
+}
+m(g)
+function h() {
+    g(Math.sqrt(+((function() {}) < 1)))
+}
+m(h)

js/src/jit/Recover.cpp

@@ -1098,10 +1098,18 @@ RToDouble::RToDouble(CompactBufferReader& reader)
 bool
 RToDouble::recover(JSContext* cx, SnapshotIterator& iter) const
 {
-    Value v = iter.read();
+    RootedValue v(cx, iter.read());
+    RootedValue result(cx);
 
     MOZ_ASSERT(!v.isObject());
-    iter.storeInstructionResult(v);
+    MOZ_ASSERT(!v.isSymbol());
+
+    double dbl;
+    if (!ToNumber(cx, v, &dbl))
+        return false;
+
+    result.setDouble(dbl);
+    iter.storeInstructionResult(result);
     return true;
 }