Closed
Bug 927389
Opened 10 years ago
Closed 10 years ago
OdinMonkey: Assertion failure: max_exponent_ + canHaveFractionalPart_ >= mozilla::FloorLog2(mozilla::Abs(upper_)), at jit/RangeAnalysis.h
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox24 | --- | unaffected |
firefox25 | --- | unaffected |
firefox26 | --- | unaffected |
firefox27 | --- | affected |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | unaffected |
People
(Reporter: gkw, Assigned: sunfish)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:])
Attachments
(3 files)
(function() { "use asm" function f() { +~~1.1 } })() asserts js debug shell on m-c changeset c14ca6b27b30 with --ion-gvn=off at Assertion failure: max_exponent_ + canHaveFractionalPart_ >= mozilla::FloorLog2(mozilla::Abs(upper_)), at jit/RangeAnalysis.h My configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache
![]() |
Reporter | |
Updated•10 years ago
|
Blocks: odinfuzz
Summary: Assertion failure: max_exponent_ + canHaveFractionalPart_ >= mozilla::FloorLog2(mozilla::Abs(upper_)), at jit/RangeAnalysis.h → OdinMonkey: Assertion failure: max_exponent_ + canHaveFractionalPart_ >= mozilla::FloorLog2(mozilla::Abs(upper_)), at jit/RangeAnalysis.h
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 1•10 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
![]() |
Reporter | |
Comment 2•10 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/42a20a0d4269 user: Dan Gohman date: Tue Oct 15 20:49:44 2013 -0700 summary: Bug 918607 - IonMonkey: Add a Range::setDouble which takes double arguments and use it to simplify and generalize several things. Dan, is bug 918607 a likely regressor?
Blocks: 918607
status-firefox24:
--- → unaffected
status-firefox25:
--- → unaffected
status-firefox26:
--- → unaffected
status-firefox27:
--- → affected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Flags: needinfo?(sunfish)
Assignee | ||
Comment 3•10 years ago
|
||
Yes, it is. The bug here is that Range::wrapAroundToInt32 is setting hasFractionalPart_ to false without checking whether this allows lower_/upper_ to be improved, and the new strict checking is catching the fact that an opportunity for improvement was missed.
Assignee: general → sunfish
Flags: needinfo?(sunfish)
Assignee | ||
Comment 4•10 years ago
|
||
This patch refactors out the code for refining lower_/upper_ using max_exponent_ from Range::intersect into a helper function so that it can be used by Range::wrapAroundToInt32 too.
Attachment #819378 -
Flags: review?(nicolas.b.pierron)
Comment 5•10 years ago
|
||
Comment on attachment 819378 [details] [diff] [review] range-refine-bounds-after-clearing-fractional.patch Review of attachment 819378 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/RangeAnalysis.h @@ +256,5 @@ > > + // Compute the best lower and upper bounds that would be compatible with > + // max exponent value of e, if possible. If it is, set *impliedLower and > + // *impliedUpper and return true. Otherwise return false. > + static void refineInt32BoundsByExponent(uint16_t e, int32_t *l, int32_t *h) { nit: Precise that this function is only useful when we get the exponent from a range which has a fractional part, as only in such case the exponent might be more precise than the int32 bound.
Attachment #819378 -
Flags: review?(nicolas.b.pierron) → review+
Comment 6•10 years ago
|
||
No ASM.js required here, this reproduces for me as well: (function () { var x = 0 || 1.1; x >> x; })();
Comment 7•10 years ago
|
||
Assignee | ||
Comment 8•10 years ago
|
||
(In reply to Nicolas B. Pierron [:nbp] from comment #5) > Comment on attachment 819378 [details] [diff] [review] > range-refine-bounds-after-clearing-fractional.patch > > Review of attachment 819378 [details] [diff] [review]: > ----------------------------------------------------------------- > > ::: js/src/jit/RangeAnalysis.h > @@ +256,5 @@ > > > > + // Compute the best lower and upper bounds that would be compatible with > > + // max exponent value of e, if possible. If it is, set *impliedLower and > > + // *impliedUpper and return true. Otherwise return false. > > + static void refineInt32BoundsByExponent(uint16_t e, int32_t *l, int32_t *h) { > > nit: Precise that this function is only useful when we get the exponent from > a range which has a fractional part, as only in such case the exponent might > be more precise than the int32 bound. Done. https://hg.mozilla.org/integration/mozilla-inbound/rev/ce54c42790f6
https://hg.mozilla.org/mozilla-central/rev/ce54c42790f6
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
![]() |
Reporter | |
Updated•10 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
You need to log in
before you can comment on or make changes to this bug.
Description
•