The following testcase asserts on mozilla-central revision 677e87c11252 (run with --ion-eager): function dumpArgs6(i) { if (i == 90) return funapply6.arguments.length; return [i]; } function funapply6() { return dumpArgs6.apply({}, arguments); } function test6(i) { return funapply6(i,1,2,3); } test6(89)[0] test6(0.2 )

S-s because infer failures can be security related.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 120021:e8578248b798 user: Hannes Verschore date: Sun Jan 27 22:51:41 2013 +0100 summary: Bug 824473: IonMonkey: Enable inlining of JSOP_FUNAPPLY, r=dvander This iteration took 107.917 seconds to run.

Hannes, can you take a look based on comment 2? Also let me know please if this has any security implications (e.g. potential crashes, etc.). If you have any questions regarding that, feel free to ping me on IRC. Thanks!

Just to inform that I got the needinfo and looking into it. It's the argument type (double) of test6 that doesn't get added. I have actually no idea which implications this has. This is definitely caused by my patch and I'll fix it as soon as possible.

Comment on attachment 715116 [details] [diff] [review] Disable funapply inlining when typeset of callee is tighter than caller Flipping review to Nicolas

Comment on attachment 715116 [details] [diff] [review] Disable funapply inlining when typeset of callee is tighter than caller Review of attachment 715116 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonBuilder.cpp @@ +3171,5 @@ > + // doesn't update the types in the "apply" function, resulting in missed types. > + if (op == JSOP_FUNAPPLY) { > + types::TypeSet *calleeType, *callerType; > + for (size_t i = 0; i < target->nargs; i++) { > + calleeType = types::TypeScript::ArgTypes(targetScript, i); I guess we want to use the oracle here: calleeType = oracle->parameterTypeSet(targetScript, i);

Comment on attachment 715116 [details] [diff] [review] Disable funapply inlining when typeset of callee is tighter than caller Review of attachment 715116 [details] [diff] [review]: ----------------------------------------------------------------- I guess this will have to be removed when support excluded types for FUN_APPLY, right?

https://hg.mozilla.org/integration/mozilla-inbound/rev/64a2c3fb2052 (In reply to Nicolas B. Pierron [:pierron] [:nbp] from comment #8) > Comment on attachment 715116 [details] [diff] [review] > I guess this will have to be removed when support excluded types for > FUN_APPLY, right? Doesn't need to, but it could get removed. As long as the types are also seen in the caller script and not only in the callee script. Because now those types are only seen in the callee script and therefore the "apply" function doesn't get the type updates.

JSBugMon: This bug has been automatically verified fixed.