851796 - IonMonkey: Assertion failure: ins->type() == MIRType_Value, at ion/MIR.h:1795 or Crash on Heap with use of uninitialized value

Status: RESOLVED DUPLICATE of bug 852140

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision 8f5b1f9f5804 (run with --ion-eager):


function reportCompare (expected, actual, description) {
  if (expected != actual) {}
}
function enterFunc (funcName) {
  try {} catch(ex) {}
}
function foreachbug() {
    var arryInner = ["innervalue2"];
    for each (i in arryInner)
      return '';
}
reportCompare('', foreachbug());
eval("\
test();\
function test() {\
  enterFunc ('test');\
  var array = Array();\
  for (var expect = 0; expect < 9; expect++)\
    array[i] = i;\
  reportCompare(expect, actual, summary);\
}\
");

Comment 1

[Christian Holler (:decoder)]

Same assert as bug 850657, but this one also crashes on opt builds in a dangerous way:

==14376== Use of uninitialised value of size 4
==14376==    at 0x557556D: ???
==14376== 
==14376== Invalid read of size 4
==14376==    at 0x557556D: ???
==14376==  Address 0x9f58 is not stack'd, malloc'd or (recently) free'd

Not sure if this is the same bug.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   122585:437c955ff06d
user:        Nicolas B. Pierron
date:        Wed Jan 30 07:41:01 2013 -0800
summary:     Bug 796114 - Inline with type-checked arguments. r=h4writer

This iteration took 14.300 seconds to run.

Comment 3

[Nicolas B. Pierron [:nbp]]

This test case is fixed by bug 852140 patch.