Closed
Bug 893364
Opened 11 years ago
Closed 11 years ago
FPE crash in OdinMonkey-generated code with (subtractionExpr % -1)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: jruderman, Assigned: bbouvier)
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
1.78 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
function m() { "use asm"; function f() { return (((0x77777777 - 0xcccccccc) | 0) % -1) | 0; } return f; } m()() Like bug 892291 (recently fixed), this started crashing when bug 864400 landed, but might be a pre-existing range analysis bug.
Comment 1•11 years ago
|
||
Nicolas: Do you think this is another range analysis bug as Jesse suggests?
Flags: needinfo?(nicolas.b.pierron)
Comment 2•11 years ago
|
||
I think this is likely that there is a Range Analysis issue fixable with a similar patch as done for Bug 892291. The reasons being that ASM.JS reuse the same truncate flag of the Range Analysis, but the Range Analysis was made assuming that no-one else was setting these truncate flags.
Flags: needinfo?(nicolas.b.pierron)
Assignee | ||
Comment 3•11 years ago
|
||
Same patch as bug 892291. Bonus: same case is hit for additions overflowing in negative values.
Assignee: general → bbouvier
Status: NEW → ASSIGNED
Attachment #775901 -
Flags: review?(nicolas.b.pierron)
Updated•11 years ago
|
Attachment #775901 -
Flags: review?(nicolas.b.pierron) → review+
Assignee | ||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4a42817c9d5d
Comment 5•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4a42817c9d5d
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•