Closed Bug 893364 Opened 11 years ago Closed 11 years ago

FPE crash in OdinMonkey-generated code with (subtractionExpr % -1)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla25

People

(Reporter: jruderman, Assigned: bbouvier)

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

proposed fix + test case
1.78 KB, patch
nbp
: review+
Details | Diff | Splinter Review 
function m()
{
    "use asm";
    function f()
    {
        return (((0x77777777 - 0xcccccccc) | 0) % -1) | 0;
    }
    return f;
}
m()()

Like bug 892291 (recently fixed), this started crashing when bug 864400 landed, but might be a pre-existing range analysis bug.
Nicolas: Do you think this is another range analysis bug as Jesse suggests?
Flags: needinfo?(nicolas.b.pierron)
I think this is likely that there is a Range Analysis issue fixable with a similar patch as done for Bug 892291.  The reasons being that ASM.JS reuse the same truncate flag of the Range Analysis, but the Range Analysis was made assuming that no-one else was setting these truncate flags.
Flags: needinfo?(nicolas.b.pierron)
Same patch as bug 892291. Bonus: same case is hit for additions overflowing in negative values.
Assignee: general → bbouvier
Status: NEW → ASSIGNED
Attachment #775901 - Flags: review?(nicolas.b.pierron)
Attachment #775901 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/4a42817c9d5d
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: