for each (let a in [2, 2, 2]) { a %= a; a %= a; } Assertion failed: _allocator.active[FST0] && _fpuStkDepth == -1 || !_allocator.active[FST0] && _fpuStkDepth == 0 (../nanojit/Assembler.cpp:407)

Wow. WTF?

David this might be the modulo demotion code. We have to do another bug squashing day tomorrow. This stuff is piling up.

any idea what the LIR looks like that triggers this assert? if its malformed (maybe float/int mismatch), maybe could catch it upstream.

LIR looks like: js_dmod2 = js_dmod ( $stack2 $stack2 ) js_dmod3 = js_dmod ( js_dmod2 js_dmod2 ) asm_farg does FSTPQ twice which triggers this assert. Simple fix might be to evict FST0 every time we use it as an input argument. This generates a little more ugly code, but perhaps hint() should not be hinting at FST0 for fcall. Any suggestions?

If the simple fix works, go for it. a more general fix: Prescan the args, and if >1 are in FST0, then issue a FST(0) to pop the reg, and then change FSTPQ to FSTQ. the result should be (reading forwards) FSTQ FSTQ FST(0) call fmod with a little more code wrangling (passing around state flags between asm_call and asm_farg), the best code would be: FSTQ FSTPQ call fmod

From discussion on IRC, it seems like just evicting is easiest. The heuristics get complicated trying to pre-scan the argument list. Pushed fix w/ comments as changeset http://hg.mozilla.org/tracemonkey/rev/5d6e3e1e78ec

http://hg.mozilla.org/mozilla-central/rev/e8ed1a635e7d /cvsroot/mozilla/js/tests/js1_7/regress/regress-465484.js,v <-- regress-465484.js initial revision: 1.1

v 1.9.1, 1.9.2

(In reply to comment #5) Prescanning to generate optimal code seems like the best way to proceed, but a cheap prescan could simply note multiple args in FST0 and evict.

Sounds good. It's probably a 2-liner. Want to give it a try? Otherwise I can take this one.

(In reply to comment #11) > Want to give it a try? I'm working on it, pottering my way through learning the nanojit data structures :) -- a review would be goodness when I have a patch, if you would.