Closed Bug 504516 Opened 15 years ago Closed 15 years ago

TM: Crash with a "divide by zero" error (really -2147483648 / -1)

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- unaffected

People

(Reporter: gkw, Assigned: gal)

References

Details

(Keywords: crash, regression, testcase, Whiteboard: [ccbr][sg:dos], fixed-in-tracemonkey)

Attachments

(1 file, 2 obsolete files)

patch
1.54 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
for (d in [0, 0]) {
    const a = (d -= (++d).toString())
    for each(b in [Number(1) << d, 0, 0xC]) {
        b / a
    }
}

crashes with TM branch js opt shell with -j with a DIVIDE BY ZERO error. Doesn't seem to occur in 1.9.1.

Exception Type:  EXC_ARITHMETIC (SIGFPE)
Exception Codes: EXC_I386_DIV (divide by zero)
Crashed Thread:  0

Thread 0 Crashed:
0   ???                           	0x0017ff51 0 + 1572689
1   ???                           	0xbffff228 0 + 3221221928
2   js-opt-tm-intelmac            	0x000f0e7e js_MonitorLoopEdge(JSContext*, unsigned int&) + 1326
3   js-opt-tm-intelmac            	0x00054ffa js_Interpret + 44266
4   js-opt-tm-intelmac            	0x0005a0c7 js_Execute + 407
5   js-opt-tm-intelmac            	0x0000e54c JS_ExecuteScript + 60
6   js-opt-tm-intelmac            	0x00004100 Process(JSContext*, JSObject*, char*, int) + 1616
7   js-opt-tm-intelmac            	0x000077cf main + 879
8   js-opt-tm-intelmac            	0x000022db _start + 209
9   js-opt-tm-intelmac            	0x00002209 start + 41
Flags: blocking1.9.2?
autoBisect shows this is probably related to bug 474443 :

The first bad revision is:
changeset:   28973:812a94dc7dd5
user:        Andreas Gal <gal@mozilla.com>
date:        Fri Jun 12 08:33:32 2009 -0700
summary:     Implement oracle-based speculative fmod/fdiv/fmul demotion (474443, r=graydon,dvander).
Blocks: 474443
status1.9.1: --- → unaffected
Flags: wanted1.9.0.x-
Whiteboard: [sg:dos]
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Flags: in-testsuite?
Still crashes for me.
Whiteboard: [sg:dos] → [ccbr][sg:dos]
Attached patch patch (obsolete) — Splinter Review 
Assignee: general → gal

        Attachment #395550 -
        Flags: review?(dvander)

    
    

    
  
Comment on attachment 395550 [details] [diff] [review]
patch

The reason this happens is that it's dividing -2147483648 / -1, the result of which is 2147483648. But that doesn't fit in a 32-bit signed integer so the CPU bizarrely throws the "divide by zero" exception.

Might want to add a comment about that in the patch, or change the comment above the line.

        Attachment #395550 -
        Flags: review?(dvander) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #395550 -
        Attachment is obsolete: true

    
  

        Attachment #396364 -
        Flags: review?(dvander)

    
    

    
  
Comment on attachment 396364 [details] [diff] [review]
patch


>-        if (!d1->isconst())

Should we keep this check?

    
  
Summary: TM: Crash with a divide by zero error → TM: Crash with a "divide by zero" error (really -2147483648 / -1)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #396364 -
        Attachment is obsolete: true

        Attachment #396364 -
        Flags: review?(dvander)

    
  

        Attachment #396678 -
        Flags: review?(dvander)

        Attachment #396678 -
        Flags: review?(dvander) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/48c039f7ac4f
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos], fixed-in-tracemonkey

    
    

    
  
Backed out. As much as I can't believe I am guilty it looks like I made us go orange.

http://hg.mozilla.org/tracemonkey/rev/dc2598d08078
Whiteboard: [ccbr][sg:dos], fixed-in-tracemonkey → [ccbr][sg:dos]

    
    

    
  
The orange that happened with this checkin looked random.  The serious permaorange was clearly caused by bug 471214.

    
    

    
  
Testing Jesse's theory. Brendan backed out 471214.

http://hg.mozilla.org/tracemonkey/rev/dc2598d08078
Whiteboard: [ccbr][sg:dos] → [ccbr][sg:dos], fixed-in-tracemonkey

    
  
Blocks: 515391

    
  
No longer blocks: 515391
Depends on: 515391

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/48c039f7ac4f
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite? → in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: