IonMonkey: trap with --ion-check-range-analysis, assignment into Float32Array

RESOLVED DUPLICATE of bug 944321

Status

()

Core
JavaScript Engine: JIT
RESOLVED DUPLICATE of bug 944321
5 years ago
2 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {regression, testcase})

Trunk
x86_64
Mac OS X
regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
var Float32ArrayView = new Float32Array(new ArrayBuffer(96));
function f(i)
{
    Float32ArrayView[0] = 0x7fffffff >> i;
}
f(5);
f(0);


With --ion-eager --ion-check-range-analysis, this traps.


The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/a43cf13bd6a6
user:        Benjamin Bouvier
date:        Thu Jul 18 15:13:15 2013 -0700
summary:     Bug 888109: Float32 general optimizations for IonMonkey: framework and arithmetic operations; r=sstangl,nbp
Flags: needinfo?(benj)
(Reporter)

Updated

5 years ago
Blocks: 888109
The upper bound of MToFloat32 is in this case JSVAL_INT_MAX, which can't be represented exactly as a Float32. As this is the output value of the conversion, the range analysis checks for JSVAL_INT_MAX while the closest Float32 representation is JSVAL_INT_MAX + 1, so the check fails.

After discussion with sunfish on IRC, it could use something like MaxTruncatableExponent but for Float32, which needs more the equivalents of what's already present in mfbt/FloatingPoint.h but for Float32 => bug 939843.
Flags: needinfo?(benj)
Depends on: 939843
Dan mentions in bug 944321 comment 3 that this bug should be s-s.
Group: core-security

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 944321

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.