Closed Bug 579646 Opened 13 years ago Closed 13 years ago

TM: "Assertion failure: hasInt32Repr(*vp),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: luke)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

fix and testcase
1.06 KB, patch
gal
: review+
Details | Diff | Splinter Review 
for (a = 0; a < 9; a++)
for (b = 0; b < 1; b++)
for (c = 0; c < 2; c++)
gczeal();
for each(e in [NaN])
for (d = 0; d < 1; d++)
z = 0;
for (w in [0, 0])
{}
x = 0;
for (e = 0; e < 3; e++)
for (f = 0; f < 4; f++)
x = -x

asserts js debug shell on TM tip with -j at Assertion failure: hasInt32Repr(*vp), at ../jstracer.cpp:4026
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   47546:9c869e64ee26
user:        Luke Wagner
date:        Wed Jul 14 23:19:36 2010 -0700
summary:     Bug 549143 - fatvals
Blocks: fatvals
Attached patch fix (obsolete) — Splinter Review 
The issue here is that, after fatvals, while the engine generally tries to put integral doubles into ints, the engine does not maintain the rigid invariant that a double never holds an int.  That means, in record_JSOP_NEG, the following condition which is supposed to catch 0 <==> -0 was valid before and now not:

          * If we're a promoted integer, we have to watch out for 0s since -0 is
          * a double. Only follow this path if we're not an integer that's 0 and
          * we're not a double that's zero.
          */
         if (oracle &&
             !oracle->isInstructionUndemotable(cx->regs->pc) &&
             isPromoteInt(a) &&
             (!v.isInt32() || v.toInt32() != 0) &&
             (!v.isDouble() || !JSDOUBLE_IS_NEGZERO(v.toDouble())) &&  // ***
             -v.toNumber() == (int)-v.toNumber())
         {

IIUC, the simple fix is to replace "!JSDOUBLE_IS_NEGZERO(...)" with "v.toDouble() != 0".  Why the original code insisted on checking the (slower) more exact condition, I do not know.
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #458263 - Flags: review?(gal)
Attached patch fix and testcaseSplinter Review 
Forgot to include Gary's fine test case!
Attachment #458263 - Attachment is obsolete: true
Attachment #458271 - Flags: review?(gal)
Attachment #458263 - Flags: review?(gal)
Attachment #458271 - Flags: review?(gal) → review+
http://hg.mozilla.org/tracemonkey/rev/abc227b2380f
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/abc227b2380f
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
blocking2.0: ? → betaN+
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug579646.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.