Closed Bug 617712 Opened 14 years ago Closed 14 years ago

TypeInference: crash in debug and release builds

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

(Whiteboard: fixed-in-jaegermonkey) 

---
for(var i=0; i<25; i++) {
    var a, b;
    function f() { 
    }
    a = f();
    b = (123 ^ 1) / 1234;
}
---
Looks like it crashes in PIC-like code.
(In reply to comment #0)
> Looks like it crashes in PIC-like code.

On closer look, it's "just" crashing in the loop body.
Btw, why do we generate an OOL call to stubs::Div here?
One tricky thing is that the inference doesn't constant fold, and it thinks (int / int) produces an int.  So when the compiler comes along and constant folds, it triggers an overflow which would normally require updating the type pushed by the division.  That can't happen during compilation, as updating the pushed type could flow anywhere and trigger type changes in the code already compiled in the script.

This is currently addressed by not constant-folding binops which overflow, which breaks the property described in bug 617592 comment 1 (a recompilation could mark the result as a double and allow the constant fold, leading to future constant folding).  This needs to get fixed (it's also causing bug 617670), but might not happen for some time as I've just been retasked to work on blockers.
This was fixed by the patch in bug 617670.

http://hg.mozilla.org/projects/jaegermonkey/rev/c247104a1499
Whiteboard: fixed-in-jaegermonkey
Depends on: 617670
Blocks: infer-regress
No longer blocks: TypeInference
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.