x = {}; x.toString = (function(stdlib, heap) { Int8ArrayView = stdlib.Int8Array(heap); Float32ArrayView = stdlib.Float32Array(heap); function f() { Int8ArrayView[0] = Float32ArrayView[0] } return f })(this, ArrayBuffer); x + 1 asserts js debug shell on m-c changeset c38b60b9063e with --ion-eager at Assertion failure: false (MOZ_ASSUME_UNREACHABLE(unexpected type)), at jit/Lowering.cpp and crashes js opt shell at js::jit::MTruncateToInt32::accept I tested that the opt crash happens on Windows 8. Setting needinfo from bbouvier since I just spoke to him in-person about this. My configure flags are: Opt shell: --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options> Debug shell: --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-threadsafe <other NSPR options>

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/a43cf13bd6a6 user: Benjamin Bouvier date: Thu Jul 18 15:13:15 2013 -0700 summary: Bug 888109: Float32 general optimizations for IonMonkey: framework and arithmetic operations; r=sstangl,nbp This iteration took 0.976 seconds to run.

Not a Odin bug as the outer function doesn't contain the "use asm" token, but still a very good catch :) A patch in bug 913282 fixes that behavior, it should land early next week.

Looks like the ARM patches are now needed and blocking progression of bug 913282, so here is a workaround that just converts Float32 to Doubles before storing them in an Int*Array. The TruncateToInt32 patch of bug 913282 will remove this part.

Auto nit: I added the test case on my local patch.

Unfortunately, bug 919118 still hangs even with this patch applied.

Comment on attachment 808769 [details] [diff] [review] bug915903.patch Review of attachment 808769 [details] [diff] [review]: ----------------------------------------------------------------- Acceptable as a workaround. ::: js/src/jit/TypePolicy.cpp @@ +652,5 @@ > case ScalarTypeRepresentation::TYPE_UINT16: > case ScalarTypeRepresentation::TYPE_INT32: > case ScalarTypeRepresentation::TYPE_UINT32: > if (value->type() != MIRType_Int32) { > + if (value->type() == MIRType_Float32) { Could you leave a comment above this line, reading "Workaround for Bug 915903."?

Carrying forward r+ from sstangl. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 888109 User impact if declined: crashes / hangs on some web sites (e.g. Google Maps...) Testing completed (on m-c, etc.): testing completed on m-i, all tests pass Risk to taking this patch (and alternatives if risky): very low, if not no risk String or IDL/UUID changes made by this patch: N/A

JSBugMon: This bug has been automatically verified fixed.

Cleaning up list of security bugs for b2g18. This bug doesn't need to be backported either due to it affecting a later version of Fx or another reason.