Closed Bug 1527729 Opened 6 months ago Closed 6 months ago

Assertion failure in range analysis checking with BigInt

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

defect

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox67 --- fixed

People

(Reporter: terpri, Assigned: terpri)

References

Details

Attachments

(1 file)

This test case crashes when the checkRangeAnalysis JIT option is enabled (run with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis):

for (const x of [0n, 1n, 1n]) { print(((y)=>y|y)(x)); }
Blocks: js-bigint

Related to bug 1526870, about CacheIR support for BigInt comparisons.

I think we should probably add static bool BigInt::compare(BigInt*, int32_t), like we have for doubles. It would be useful for CacheIR as well. Then we can emit calls to it to check bigint bounds. I was going to suggest just papering over the issue by passing if the value is a bigint but as we need the comparison function anyway and it's a portable callVM, we might as well go ahead and do it.

Would you mind taking this, Robin?

Flags: needinfo?(robin)
See Also: → 1526870
Blocks: js-bigint-ship
No longer blocks: js-bigint

yes, i can take this one

Assignee: nobody → robin
Flags: needinfo?(robin)
Priority: -- → P1
Keywords: checkin-needed

Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/280ab3f61c87
Skip range computation for non-int32 bitwise ops r=wingo,jandem

Keywords: checkin-needed
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Duplicate of this bug: 1531287
You need to log in before you can comment on or make changes to this bug.