Closed
Bug 900437
Opened 11 years ago
Closed 11 years ago
Assertion failure: !minimalInterval(interval), at ion/BacktrackingAllocator.cpp:510
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla26
People
(Reporter: decoder, Assigned: sunfish)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 2 obsolete files)
|
6.68 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
|
1.34 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 05d3797276d3 (run with --fuzzing-safe --ion-eager --ion-regalloc=backtracking):
function test() {
var x = 0.0;
while(1) -("") >> x / x;
}
test();
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 2•11 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/4370f503d69f user: Brian Hackett date: Thu May 23 13:25:19 2013 -0600 summary: Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem. This iteration took 10.723 seconds to run.
|
|
Reporter | |
Comment 4•11 years ago
|
||
Needinfo from Brian based on comment 3.
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 5•11 years ago
|
||
I believe this is a bug with how the x86 lowering code creates LDivI. I am working on a patch.
Assignee: general → sunfish
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Comment 6•11 years ago
|
||
The comment added in Lowering-x86-shared.cpp briefly explains the tricky situation imposed by LDivI's constraints here. Other approaches to fixing this bug are possible. One could say that the register allocator should provide mechanisms to allow the constraints to be precisely modeled, however as long as this situation is limited to LDivI, it isn't obviously worthwhile. The attached patch has the advantage of being uncomplicated and unobtrusive.
Attachment #785439 -
Flags: review?(bhackett1024)
|
|
Assignee | |
Comment 7•11 years ago
|
||
Updated to include the testcase.
Attachment #785439 -
Attachment is obsolete: true
Attachment #785439 -
Flags: review?(bhackett1024)
Attachment #785441 -
Flags: review?(bhackett1024)
|
||
Comment 8•11 years ago
|
||
Comment on attachment 785441 [details] [diff] [review] div-self.patch Review of attachment 785441 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay, and thanks! ::: js/src/ion/shared/CodeGenerator-x86-shared.cpp @@ +766,5 @@ > + Register output = ToRegister(ins->output()); > + MDiv *mir = ins->mir(); > + > + JS_ASSERT(mir->canBeDivideByZero()); > + rm extra whitespace
Attachment #785441 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 9•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ec1dff8c460
|
||
Comment 10•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3ec1dff8c460
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla26
|
|
Reporter | |
Updated•11 years ago
|
status-firefox24:
--- → affected
|
|
Reporter | |
Comment 11•11 years ago
|
||
Attachment #784326 -
Attachment is obsolete: true
|
|
Reporter | |
Updated•11 years ago
|
status-firefox25:
--- → affected
You need to log in
before you can comment on or make changes to this bug.
Description
•