Closed Bug 716119 Opened 11 years ago Closed 11 years ago

Miscompilation of conditional expressions

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
9 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla12
Tracking Flags:
Tracking Status
firefox9 --- affected
firefox10 + ---
firefox11 - ---
firefox12 - ---

People

(Reporter: jerome.vouillon, Assigned: bhackett1024)

References

Details

(Keywords: regression)

Attachments

(1 file)

patch
3.53 KB, patch
dvander
: review+
Details | Diff | Splinter Review 
The Javascript code at http://www.pps.jussieu.fr/~vouillon/bug/ is not interpreted correctly by Firefox 9: it should display a nice graph, but instead displays ellipses all over the place.

I have tracked this down to what looks like the miscompilation of the conditional expression (pi_A9_<alpha_Hl_?1:0) on line 4881 in hypertree.js. Indeed, I have added the following debugging code:

    _wh_.log(start_Hk_,fin_Hl_,alpha_Hm_,pi_A9_<alpha_Hm_?1:0);

where _wh_ is window.console, _pi_A9_ = 3.1415...
(This is computer-generated code, and I made the change in the source code, so the variable names are not exactly the same.)
Then, I get incorrect outputs like the following one:

      -1.570796326794897 -1.2702070146247024 0.30058931217019413 1

Clearly, the last number should be 0.

I don't know how to reproduce the bug in a smaller program.  In particular, I seem to get correct outputs when I change slightly the line above, for instance by removing the first two arguments start_Hk_ and fin_Hl_, or by replacing _wh_ by window.console.
Turning off TI makes the problem go away...

I also see the problem in nightlies.
Status: UNCONFIRMED → NEW
status-firefox9: --- → affected
tracking-firefox10: --- → ?
tracking-firefox11: --- → ?
tracking-firefox12: --- → ?
Ever confirmed: true
Keywords: regression
Attached patch patchSplinter Review 
Regalloc bug when doing a branch based on values known to be floating point numbers.  We didn't take care to ensure that sync code did not clobber the registers that were about to be compared, so the comparison could end up using incorrect values in the lhs/rhs.

I like the website, I've seen a fair number of those critters while diving here in california.
Assignee: general → bhackett1024
Attachment #588291 - Flags: review?(dvander)
Attachment #588291 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/2b2ca37b0305
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
This is a regression in FF9, and we're not seeing any dupes, so I'm untracking for 11/12/13. This can ride the trains.
tracking-firefox11: +-
tracking-firefox12: +-
You need to log in before you can comment on or make changes to this bug.