Closed Bug 928450 Opened 11 years ago Closed 11 years ago

Assertion failure: lower_ <= upper_, at jit/RangeAnalysis.h

Categories

(Core :: JavaScript Engine: JIT, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla27

People

(Reporter: gkw, Assigned: sunfish)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Attached file stack without symbols
(function() {
    "use asm"
    function f() {
        i((1.5 != 2.) ? 3 : 0)
    }
})()

asserts js debug shell on m-c changeset 4e7d1e2c93a6 with --ion-gvn=off at Assertion failure: lower_ <= upper_, at jit/RangeAnalysis.h

Tested with:

https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1382089332/jsshell-mac64.zip

which I presume is a 64-bit debug non-deterministic threadsafe build.

Guessing this is range analysis at play again.
Flags: needinfo?(sunfish)
Confirmed. Range analysis is computing an invalid range on the path where "1.5 != 2" isn't true. This is a regression in the changes for bug 918607. I'll work on a patch.

This also happens to be an argument for converting range analysis from (int32,bool) bounds to plain double bounds. Double bounds wouldn't need a separate max_exponent_ field, there'd be no need to have code to keep it consistent with lower_/upper_. But that's beyond the scope of this bug :).
Assignee: general → sunfish
Flags: needinfo?(sunfish)
Blocks: 918607
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(In reply to Dan Gohman [:sunfish] from comment #1)
> This also happens to be an argument for converting range analysis from
> (int32,bool) bounds to plain double bounds.

Please, do not mix fix and features, until there is no easy fix.
Depends on: 927389
There is an easy fix. Range::intersect just needs to check for an empty range after making adjustments to lower_ and upper_.
Attachment #819379 - Flags: review?(nicolas.b.pierron)
Attachment #819379 - Flags: review?(nicolas.b.pierron) → review+
https://hg.mozilla.org/mozilla-central/rev/3f03e8b077ca
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Component: JavaScript Engine → JavaScript Engine: JIT
You need to log in before you can comment on or make changes to this bug.