Closed Bug 889186 Opened 11 years ago Closed 11 years ago

IonMonkey: incorrect result with nan uint comparison

Categories

(Core :: JavaScript Engine, defect)

All
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla25
Tracking Status
firefox24 --- affected
firefox25 --- fixed

People

(Reporter: jruderman, Assigned: h4writer)

References

Details

(Keywords: regression, testcase)

Attachments

(1 file)

function f()
{
    return (4 >>> 0) > ((0 % (1 == 2)) >>> 0);
}
for (var i = 0; i < 5; ++i) {
    assertEq(f(), true);
}

With --ion-eager: got false, expected true

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/ce43d28276e4
user:        Brian Hackett
date:        Fri Jun 14 05:58:28 2013 -0600
summary:     Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody.
Looks like the problem is not related to the function but to the loop.

If you call just once assertEq(f(), true), it will work.
If you call it several times in a row by hand, it should work too.

for (var i = 0; i < 1; ++i) { assertEq(f(), true); } // works

for (var i = 0; i < 2; ++i) { assertEq(f(), true); } // asserts
You don't need a loop to trigger the bug.  Two calls do it too:

function f()
{
    return (4 >>> 0) > ((0 % (1 == 2)) >>> 0);
}
assertEq(f(), true);
assertEq(f(), true);
Assignee: general → hv1989
Blocks: 871002
Hardware: x86_64 → All
Attached patch PatchSplinter Review
@Jesse, sorry about the delay. Totally forgot you said fixing this bug would help you fuzzing.

EliminateDeadResumePointOperands removes the first "4 >>> 0", since it only has uses in resumepoints. The actual use in the "<" has been removed by the UINT32 'hack' in MCompare::infer and there we don't mark the instruction as folded !
Attachment #773517 - Flags: review?(bhackett1024)
Attachment #773517 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/52627f6818c4
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: