Closed Bug 692332 Opened 14 years ago Closed 14 years ago

IonMonkey: Miscompilation of 1/x.

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: sstangl, Unassigned)

Details

Attachments

(2 files)

LIR 14 years ago Sean Stangl [:sstangl] 14.16 KB, image/png		Details
sup 14 years ago Sean Stangl [:sstangl] 596 bytes, patch	dvander : review+	Details \| Diff \| Splinter Review

Sean Stangl [:sstangl]

Reporter

Description

•

14 years ago

The following code miscompiles on x64: > function f(x) { return 1/x; } f(3) returns 1. The MIR is correct, but the LIR contains two LInteger(1) instructions, and the generated assembly overwrites the parameter of |3| with |1|, although the regalloc does not show any intended use of that register. Fixing this fixes SS' math-spectral-norm.

Sean Stangl [:sstangl]

Reporter

Comment 1

•

14 years ago

Attached image LIR — Details

Oh, the LIR is just totally incorrect. It is explicitly calculating 1/1 (v4,v5).

Sean Stangl [:sstangl]

Reporter

Comment 2

•

14 years ago

Attached patch sup — Details — Splinter Review

Attachment #565089 - Flags: review?(dvander)

David Anderson [:dvander] - inactive, e-mail if emergency

Comment 3

•

14 years ago

Comment on attachment 565089 [details] [diff] [review] sup nice

Attachment #565089 - Flags: review?(dvander) → review+

Sean Stangl [:sstangl]

Reporter

Comment 4

•

14 years ago

http://hg.mozilla.org/projects/ionmonkey/rev/86b68bdba42f

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

IonMonkey: Miscompilation of 1/x.

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: sstangl, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Attachment

General

Description

File Name

Content Type