Closed
Bug 940638
Opened 11 years ago
Closed 11 years ago
IonMonkey: trap with --ion-check-range-analysis, assignment into Float32Array
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 944321
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: regression, testcase)
var Float32ArrayView = new Float32Array(new ArrayBuffer(96));
function f(i)
{
Float32ArrayView[0] = 0x7fffffff >> i;
}
f(5);
f(0);
With --ion-eager --ion-check-range-analysis, this traps.
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/a43cf13bd6a6
user: Benjamin Bouvier
date: Thu Jul 18 15:13:15 2013 -0700
summary: Bug 888109: Float32 general optimizations for IonMonkey: framework and arithmetic operations; r=sstangl,nbp
Flags: needinfo?(benj)
Comment 1•11 years ago
|
||
The upper bound of MToFloat32 is in this case JSVAL_INT_MAX, which can't be represented exactly as a Float32. As this is the output value of the conversion, the range analysis checks for JSVAL_INT_MAX while the closest Float32 representation is JSVAL_INT_MAX + 1, so the check fails.
After discussion with sunfish on IRC, it could use something like MaxTruncatableExponent but for Float32, which needs more the equivalents of what's already present in mfbt/FloatingPoint.h but for Float32 => bug 939843.
Flags: needinfo?(benj)
Comment 2•11 years ago
|
||
Dan mentions in bug 944321 comment 3 that this bug should be s-s.
Group: core-security
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•