707997 - Vector.<float4> access beyond vector length not handled when jitted

Status: VERIFIED FIXED

(Tamarin Graveyard :: Baseline JIT (CodegenLIR), defect, P1)

Description

[Brent Baker]

Code:
var vec:Vector.<float4> = new <float4> [float4(0, 0, 0, 0),
                                        float4(1, 1, 1, 0),
                                        float4(2, 2, 2, 0)];

function foo() { print(vec[3]); }
foo();

Expected:
RangeError: Error #1125: The index 3 is out of range 3.

Actual:
#0  0x000a985f in avmplus::ListImpl<float4_t, avmplus::DataListHelper<float4_t, 16ul> >::length (this=0x30) at avmplusList-inlines.h:467
#1  0x001517aa in avmplus::TypedVectorObject<avmplus::DataList<float4_t, 16ul> >::checkReadIndex_u (this=0x0, index=3) at VectorClass-inlines.h:284
#2  0x001517f7 in avmplus::TypedVectorObject<avmplus::DataList<float4_t, 16ul> >::_getFloat4UintProperty (this=0x0, result=0x11df4b8, index=3) at VectorClass-impl.h:544
#3  0x011fba16 in ?? ()
#4  0x000f6a1a in avmplus::BaseExecMgr::endCoerce (env=0x11d61a0, argc=0, ap=0xbfffe9f0, ms=0x109b980) at ../core/exec.cpp:885
#5  0x000f7c73 in avmplus::BaseExecMgr::invokeGeneric (env=0x11d61a0, argc=0, atomv=0xbfffebf0) at ../core/exec.cpp:1086
...
...

Comment 1

[Virgil Palanciuc]

Wow, that was a scary bug (wrong calling convention on vector getters, for float4; only worked in regular cases because the helpers are not typically called).
Fixed in changeset 7040:b73cb9de7c93.

Comment 2

[Brent Baker]

Testmedia added:

changeset:   7041:0f24de2c043b
tag:         tip
user:        Brent Baker <brbaker@adobe.com>
date:        Wed Dec 07 06:35:49 2011 -0500
summary:     Bug 707997: testmedia for  Vector.<float4> access beyond vector length