Closed Bug 945860 Opened 11 years ago Closed 11 years ago

Assertion failure: mir->canBeDivideByZero() || (!mir->isUnsigned() && mir->canBeNegativeDividend()), at jit/shared/CodeGenerator-x86-shared.cpp

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28

People

(Reporter: gkw, Assigned: sunfish)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(2 files)

stack
4.19 KB, text/plain
Details
bug945860.patch
1.76 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Attached file stack 
function f(x) {
    x(x % x)
}
for (var i = 0; i < 9999; i++) {
    try {
        (function() {
            f(1)
        })()
    } catch (e) {}
}

asserts js debug shell on m-c changeset 4bf430d990e5 with --ion-gvn=off at Assertion failure: mir->canBeDivideByZero() || (!mir->isUnsigned() && mir->canBeNegativeDividend()), at jit/shared/CodeGenerator-x86-shared.cpp

My configure flags are:

CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --disable-threadsafe

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/6787bcb8ea7e
user:        Dan Gohman
date:        Mon Dec 02 13:41:54 2013 -0800
summary:     Bug 944963 - IonMonkey: Add a ModSelf operator to fix an x86 constraint problem with x%x. r=bhackett

Dan, is bug 944963 a likely regressor?
Flags: needinfo?(sunfish)
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #0)
> Dan, is bug 944963 a likely regressor?

Yes.

The assert is indicating that an optimization opportunity was missed. The code is using LModSelf when it could use a constant value.
Assignee: general → sunfish
Flags: needinfo?(sunfish)
Attached patch bug945860.patchSplinter Review 
For bug 946478, LModSelf and LDivSelf will have to be replaced. For now, this patch fixes a minor issue with LModSelfI: it avoids creating an LModSelfI in a case where it can be avoided, to harmonize with later code that asserts that this has been done.
Attachment #8343118 - Flags: review?(bhackett1024)
Attachment #8343118 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/mozilla-central/rev/d648a922f82b
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: