843875 - IonMonkey: Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:314

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision d57a813c77a4 (run with --ion-eager):


function writeHeaderToLog( string ) { }
var input = [ 0xfffffff0, 101 ];
var arr = new Uint32Array(input.length);
var expected = [ 0xffffffff, 101 ];
for (var i=0; i<arr.length; i++) {
  arr[i] = writeHeaderToLog[i] = expected[i] = i * 8;
}

Comment 1

[Christian Holler (:decoder)]

S-s because infer failures can be security related.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   120310:d7dd65663469
user:        Brian Hackett
date:        Tue Jan 29 16:20:03 2013 -0700
summary:     Bug 833898 - Allow converting mixed arrays of ints and doubles to uniform doubles, r=jandem.

This iteration took 0.603 seconds to run.

Comment 3

[Christian Holler (:decoder)]

bhackett says this (and other bugs caused by bug 833898) are not s-s because they only lead to a confusion between double and int. Opening up and needinfo on Brian :)

Comment 4

[Brian Hackett [Laid off!]]

Attachment: patch

During Ion compilation the wrong value was pushed back on the stack if a double conversion was needed for the value being written to the array.

Comment 5

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/1b88a261e304

Comment 6

[Gregory Szorc [:gps]]

https://hg.mozilla.org/mozilla-central/rev/1b88a261e304