Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 692332 - IonMonkey: Miscompilation of 1/x.
: IonMonkey: Miscompilation of 1/x.
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: x86_64 Linux
: -- normal (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2011-10-05 17:13 PDT by Sean Stangl [:sstangl]
Modified: 2011-10-06 17:04 PDT (History)
0 users
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

LIR (14.16 KB, image/png)
2011-10-05 17:19 PDT, Sean Stangl [:sstangl]
no flags Details
sup (596 bytes, patch)
2011-10-05 17:30 PDT, Sean Stangl [:sstangl]
dvander: review+
Details | Diff | Splinter Review

Description Sean Stangl [:sstangl] 2011-10-05 17:13:20 PDT
The following code miscompiles on x64:
> function f(x) { return 1/x; }

f(3) returns 1. The MIR is correct, but the LIR contains two LInteger(1) instructions, and the generated assembly overwrites the parameter of |3| with |1|, although the regalloc does not show any intended use of that register.

Fixing this fixes SS' math-spectral-norm.
Comment 1 Sean Stangl [:sstangl] 2011-10-05 17:19:46 PDT
Created attachment 565085 [details]

Oh, the LIR is just totally incorrect. It is explicitly calculating 1/1 (v4,v5).
Comment 2 Sean Stangl [:sstangl] 2011-10-05 17:30:31 PDT
Created attachment 565089 [details] [diff] [review]
Comment 3 David Anderson [:dvander] 2011-10-05 17:31:21 PDT
Comment on attachment 565089 [details] [diff] [review]

Comment 4 Sean Stangl [:sstangl] 2011-10-06 17:04:26 PDT

Note You need to log in before you can comment on or make changes to this bug.