801156 - IonMonkey: Assertion failure: def->range()->lower() <= def->range()->upper(), at ion/RangeAnalysis.cpp:487

Status: RESOLVED DUPLICATE of bug 766592

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision 90857937b601 (run with --ion-eager):


test();
function test() {
    var i=0;
    var j=0;
    var limit=0;
    for (i = 3; i<= n; i+=2) {
    limit = 1;
    for (j = 3; j < limit; j+=2)
      if (i % j == 0) {}
    }
}

Comment 1

[Christian Holler (:decoder)]

S-s due to range assertion, feel free to unhide if this is not dangerous in any way :)

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   109621:c0b305197227
user:        Marty Rosenberg
date:        Tue Oct 02 04:34:28 2012 -0400
summary:     Teach RangeAnalysis how to deal with unreachable blocks (bug 765119, r=dvander)

This iteration took 0.506 seconds to run.

Comment 3

[Christian Holler (:decoder)]

Marty, are these range assertions dangerous in any way? If so, can you suggest a security-rating?

Comment 4

[Marty Rosenberg [:mjrosenb]]

they aren't dangerous, it probably means that I just messed up somewhere
In this case, it may be getting nervous that we're attempting to evaluate foo % 0. Not sure if that is the case, but I know there have been problems with blocks that are guaranteed unreachable in the past.

Comment 5

[Marty Rosenberg [:mjrosenb]]

Attachment: /home/mrosenberg/patches/fixMMod-r0.patch

As expected, it was a silly bug with a simple fix.  I also fixed a whitespace typo.

Comment 6

[Jan de Mooij [:jandem]]

Comment on attachment 674309 [details] [diff] [review]
/home/mrosenberg/patches/fixMMod-r0.patch

Review of attachment 674309 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with the testcase added.

Slightly related, but it would be really good to have debug-only runtime range checks, probably behind a pref.

Comment 7

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6eca73d185d0).

Comment 8

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, failed due to error (try manually).

Comment 9

[Christian Holler (:decoder)]

I rebooted the machine as it was behaving weirdly. Let's see if that helps.

Comment 10

[Christian Holler (:decoder)]

JSBugMon: Fix Bisection requested, failed due to error (try manually).

Comment 11

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   109621:c0b305197227
user:        Marty Rosenberg
date:        Tue Oct 02 04:34:28 2012 -0400
summary:     Teach RangeAnalysis how to deal with unreachable blocks (bug 765119, r=dvander)

Comment 12

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

This is likely fixed by:

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   114092:89e5db8cf62f
user:        Brian Hackett
date:        Fri Nov 23 23:23:03 2012 -0500
summary:     Add symbolic range analysis for loop induction variables, bug 766592. r=mjrosenb

Brian, do you think this is possible?

Comment 13

[Brian Hackett [Laid off!]]

Yeah, this made a bunch of changes to the range analysis which could have fixed this assert.