Assertion failure: store->ptr()->type() == MIRType_Int32, at ion/TypePolicy.cpp:565

RESOLVED DUPLICATE of bug 893732

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 893732
4 years ago
a year ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
x86
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
The following testcase asserts on mozilla-central revision 18467a85acf6 (run with --fuzzing-safe --ion-eager):


var buf = serialize(new Date(NaN));
var n =  -(8.64e15 + 1);
var nbuf = serialize(n);
for (var j = 0; j < 8; j++)
  buf[j + (0.00000000123)] = nbuf[j];
(Reporter)

Comment 1

4 years ago
Created attachment 775591 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Comment 2

4 years ago
Marked s-s because I don't know what the type mismatch in this assertion could cause.
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 3

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/0670cdaf7e9c
user:        Brian Hackett
date:        Thu Jul 11 15:08:26 2013 -0600
summary:     Bug 891400 - Improve pattern matching on static typed array accesses, r=jandem.

This iteration took 341.676 seconds to run.
(Reporter)

Comment 4

4 years ago
Needinfo from Brian based on comment 3 :)
Flags: needinfo?(bhackett1024)
Blocks: 891400
Keywords: regression
This is slightly different from bug 893732 (affects stores rather than loads) but will be fixed by that bug.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Duplicate of bug: 893732

Updated

2 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.