847412 - IonMonkey: Assertion failure: [infer failure] Missing type in object [0x7f23d0f2b820] actual: float, at jsinfer.cpp:315

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision f99a075a5bce (run with --ion-eager):


var gTestcases = new Array();
var gTc = gTestcases.length;
function TestCase( a) {
  this.actual = a;
  gTestcases[gTc++] = this;
}
function test() {
  for ( gTc=0; gTc < gTestcases.length; gTc++ ) {
	gTestcases[gTc].actual.toString()
  }
}
function testOverwritingSparseHole() {
  for (var i = 0; i < 50; i++)
    new TestCase(eval("VAR1 = 0; VAR2 = -1; VAR1 %= VAR2; VAR1"));
}
testOverwritingSparseHole();
test();
this.toSource();

Comment 1

[Christian Holler (:decoder)]

S-s due to infer failure.

Comment 2

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122546:0ded3af9b2d7
user:        Brian Hackett
date:        Thu Feb 21 06:56:54 2013 -0700
summary:     Bug 743394 - Ion compile JSOP_EVAL, r=jandem.

Brian, is bug 743394 a likely regressor? (Setting flags based on this assumption)

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset:   122543:5b0002d4b427
user:        Brian Hackett
date:        Thu Feb 21 06:46:46 2013 -0700
summary:     Bug 842424 - Add missing newKind, r=terrence.

changeset:   122544:985efc588a5e
user:        Mark Finkle
date:        Thu Feb 21 08:52:37 2013 -0500
summary:     Bug 843361 - Dump list of open files if we fail to unlock the DB r=blassey

changeset:   122545:cd16203968a5
user:        Brian Hackett
date:        Thu Feb 21 06:54:16 2013 -0700
summary:     Bug 842425 - Watch for arrays that need elements converted to doubles when pushing elements, r=jandem.

changeset:   122546:0ded3af9b2d7
user:        Brian Hackett
date:        Thu Feb 21 06:56:54 2013 -0700
summary:     Bug 743394 - Ion compile JSOP_EVAL, r=jandem.

changeset:   122547:48c067a87ba2
user:        Brian Hackett
date:        Thu Feb 21 07:02:41 2013 -0700
summary:     Bug 842424 - Remove assertion.

This iteration took 27.244 seconds to run.

Comment 6

[Brian Hackett [Laid off!]]

Attachment: patch

In the usual direct eval case from Ion, no type barrier was being added for the result of the eval.

Comment 7

[Jan de Mooij [:jandem]]

Comment on attachment 725764 [details] [diff] [review]
patch

Review of attachment 725764 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.

Comment 8

[Brian Hackett [Laid off!]]

Comment on attachment 725764 [details] [diff] [review]
patch

[Security approval request comment]
Which older supported branches are affected by this flaw?

Nightly.

Comment 9

[Andrew McCreight [:mccr8]]

Comment on attachment 725764 [details] [diff] [review]
patch

Nightly-only security patches don't need sec-approval.

Comment 10

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/91575402209a

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/91575402209a

Comment 12

[Christian Holler (:decoder)]

JSBugMon: This bug has been automatically verified fixed.