Closed Bug 465249 Opened 16 years ago Closed 16 years ago

TM: "Assertion failure: (m != JSVAL_INT) || isInt32(*vp)" adding two large integers

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1b2

People

(Reporter: jruderman, Assigned: dvander)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

proposed fix
1.49 KB, patch
gal
: review+
Details | Diff | Splinter Review
js> for (let j = 0; j < 5; ++j) { (0x50505050) + (0x50505050); } Assertion failure: (m != JSVAL_INT) || isInt32(*vp), at ../jstracer.cpp:1783 This assertion also shows up in bug 464116, but this testcase is simpler.
The testcase in comment 0 only works in the interactive shell. To reproduce this with a .js file, you'll need something like: eval("for (let j = 0; j < 5; ++j) { (0x50505050) + (0x50505050); }")
Assignee: general → danderson
Attached patch proposed fixSplinter Review
The problem was our LIR_fadd/fsub filter would keep LIR_i2f on overflowed constants. This fix detects overflow and constant folds appropriately.
Attachment #348497 - Flags: review?(gal)
Attachment #348497 - Flags: review?(gal) → review+
Pushed fix as changeset: http://hg.mozilla.org/tracemonkey/rev/c86e2bafd736
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Blocks: arithfuzz
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b2
reopening, marking blocking beta2, will close once landed on m-c.
Status: RESOLVED → REOPENED
Flags: blocking1.9.1? → blocking1.9.1-
Resolution: FIXED → ---
damon, I assume you meant to + blocking and not -?
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
test landed http://hg.mozilla.org/mozilla-central/rev/164861c1e471 and cvs
Flags: in-testsuite+
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: