Closed Bug 1527729 Opened 5 years ago Closed 5 years ago

Assertion failure in range analysis checking with BigInt

Categories

(Core :: JavaScript Engine: JIT, defect, P1)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox67 --- fixed

People

(Reporter: terpri, Assigned: terpri)

References

Details

Attachments

(1 file)

Skip range computation for non-int32 bitwise ops
47 bytes, text/x-phabricator-request
Details | Review

This test case crashes when the checkRangeAnalysis JIT option is enabled (run with --fuzzing-safe --no-threads --ion-eager --ion-check-range-analysis):

for (const x of [0n, 1n, 1n]) { print(((y)=>y|y)(x)); }
Blocks: js-bigint

Related to bug 1526870, about CacheIR support for BigInt comparisons.

I think we should probably add static bool BigInt::compare(BigInt*, int32_t), like we have for doubles. It would be useful for CacheIR as well. Then we can emit calls to it to check bigint bounds. I was going to suggest just papering over the issue by passing if the value is a bigint but as we need the comparison function anyway and it's a portable callVM, we might as well go ahead and do it.

Would you mind taking this, Robin?

Flags: needinfo?(robin)
See Also: → 1526870
Blocks: js-bigint-ship
No longer blocks: js-bigint

yes, i can take this one

Assignee: nobody → robin
Flags: needinfo?(robin)
status-firefox67: --- → affected
Priority: -- → P1
Keywords: checkin-needed

Pushed by ccoroiu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/280ab3f61c87
Skip range computation for non-int32 bitwise ops r=wingo,jandem

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/280ab3f61c87

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.