Closed Bug 893726 Opened 12 years ago Closed 12 years ago

Assertion failure: store->ptr()->type() == MIRType_Int32, at ion/TypePolicy.cpp:565

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 893732

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 18467a85acf6 (run with --fuzzing-safe --ion-eager): var buf = serialize(new Date(NaN)); var n = -(8.64e15 + 1); var nbuf = serialize(n); for (var j = 0; j < 8; j++) buf[j + (0.00000000123)] = nbuf[j];
Marked s-s because I don't know what the type mismatch in this assertion could cause.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/0670cdaf7e9c user: Brian Hackett date: Thu Jul 11 15:08:26 2013 -0600 summary: Bug 891400 - Improve pattern matching on static typed array accesses, r=jandem. This iteration took 341.676 seconds to run.
Needinfo from Brian based on comment 3 :)
Flags: needinfo?(bhackett1024)
Blocks: 891400
Keywords: regression
This is slightly different from bug 893732 (affects stores rather than loads) but will be fixed by that bug.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: