Closed Bug 893364 Opened 7 years ago Closed 7 years ago

FPE crash in OdinMonkey-generated code with (subtractionExpr % -1)

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla25

People

(Reporter: jruderman, Assigned: bbouvier)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(1 file)

function m()
{
    "use asm";
    function f()
    {
        return (((0x77777777 - 0xcccccccc) | 0) % -1) | 0;
    }
    return f;
}
m()()

Like bug 892291 (recently fixed), this started crashing when bug 864400 landed, but might be a pre-existing range analysis bug.
Nicolas: Do you think this is another range analysis bug as Jesse suggests?
Flags: needinfo?(nicolas.b.pierron)
I think this is likely that there is a Range Analysis issue fixable with a similar patch as done for Bug 892291.  The reasons being that ASM.JS reuse the same truncate flag of the Range Analysis, but the Range Analysis was made assuming that no-one else was setting these truncate flags.
Flags: needinfo?(nicolas.b.pierron)
Same patch as bug 892291. Bonus: same case is hit for additions overflowing in negative values.
Assignee: general → bbouvier
Status: NEW → ASSIGNED
Attachment #775901 - Flags: review?(nicolas.b.pierron)
Attachment #775901 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/4a42817c9d5d
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in before you can comment on or make changes to this bug.