IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:353

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
major
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Other Branch
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following testcase asserts on ionmonkey revision 14735b4dbccc (run with --ion -n -m --ion-eager):


function foo(i)  {
    var n = 0;
    for (var i = 0; i < (false  ); i++)
      n = a++;
    assertEq(n, 29);
}
var a = foo(10);
(Assignee)

Comment 1

5 years ago
Reduced it a bit more:

function foo()  {
    var n = 0;
    while (false)
        n = +a;
    print(n); // bailout
}
foo();

The problem is that when we bailout, n is a double (0.0) instead of an integer. The inferred type of "+a" is value -> value, which we compile to MToDouble. Using MToDouble is fine for "value -> double" but for "value -> value" we should probably just call a stub.

Note that value -> int32 has the same problem (double value instead of int32). This testcase also triggers the assert:

function bar(x) {
    var y = +(x ? x : "foo");
    print(y);
}
bar(10);
Assignee: general → jdemooij
Status: NEW → ASSIGNED
(Assignee)

Comment 2

5 years ago
Created attachment 625079 [details] [diff] [review]
Patch

This follows JSOP_NEG and compiles +x as x * 1. Seems like it's the simplest fix and does not regress SS/V8/Kraken.
Attachment #625079 - Flags: review?(dvander)
Attachment #625079 - Flags: review?(dvander) → review+
(Assignee)

Comment 3

5 years ago
https://hg.mozilla.org/projects/ionmonkey/rev/ceb5ab053f82
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 4

5 years ago
JSBugMon: This bug has been automatically verified fixed.
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Assignee)

Updated

5 years ago
Group: core-security
(Reporter)

Comment 5

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug756247.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.