The following testcase asserts on mozilla-central revision 05d3797276d3 (run with --fuzzing-safe --ion-eager --ion-regalloc=backtracking): function test() { var x = 0.0; while(1) -("") >> x / x; } test();

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/4370f503d69f user: Brian Hackett date: Thu May 23 13:25:19 2013 -0600 summary: Bug 875276 - Don't profile types in scripts until they are compiled by baseline, r=jandem. This iteration took 10.723 seconds to run.

Needinfo from Brian based on comment 3.

I believe this is a bug with how the x86 lowering code creates LDivI. I am working on a patch.

The comment added in Lowering-x86-shared.cpp briefly explains the tricky situation imposed by LDivI's constraints here. Other approaches to fixing this bug are possible. One could say that the register allocator should provide mechanisms to allow the constraints to be precisely modeled, however as long as this situation is limited to LDivI, it isn't obviously worthwhile. The attached patch has the advantage of being uncomplicated and unobtrusive.

Updated to include the testcase.

Comment on attachment 785441 [details] [diff] [review] div-self.patch Review of attachment 785441 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for the delay, and thanks! ::: js/src/ion/shared/CodeGenerator-x86-shared.cpp @@ +766,5 @@ > + Register output = ToRegister(ins->output()); > + MDiv *mir = ins->mir(); > + > + JS_ASSERT(mir->canBeDivideByZero()); > + rm extra whitespace