Closed Bug 940638 Opened 11 years ago Closed 11 years ago

IonMonkey: trap with --ion-check-range-analysis, assignment into Float32Array

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 944321

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: regression, testcase)

var Float32ArrayView = new Float32Array(new ArrayBuffer(96)); function f(i) { Float32ArrayView[0] = 0x7fffffff >> i; } f(5); f(0); With --ion-eager --ion-check-range-analysis, this traps. The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/a43cf13bd6a6 user: Benjamin Bouvier date: Thu Jul 18 15:13:15 2013 -0700 summary: Bug 888109: Float32 general optimizations for IonMonkey: framework and arithmetic operations; r=sstangl,nbp
Flags: needinfo?(benj)
Blocks: 888109
The upper bound of MToFloat32 is in this case JSVAL_INT_MAX, which can't be represented exactly as a Float32. As this is the output value of the conversion, the range analysis checks for JSVAL_INT_MAX while the closest Float32 representation is JSVAL_INT_MAX + 1, so the check fails. After discussion with sunfish on IRC, it could use something like MaxTruncatableExponent but for Float32, which needs more the equivalents of what's already present in mfbt/FloatingPoint.h but for Float32 => bug 939843.
Flags: needinfo?(benj)
Dan mentions in bug 944321 comment 3 that this bug should be s-s.
Group: core-security
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.