Status
()
People
(Reporter: decoder, Unassigned)
Tracking
(Blocks 2 bugs, {crash, testcase})
Firefox Tracking Flags
(Not tracked)
Details
The following testcase crashes on TI rev a3eeee8f7803 (run with options -n -m -a), tested on 64 bit:
var x = [, ];
var n = [, ];
var np = 18229;
sa = Array;
function copy_(x, y) {
var i;
var k = x < y ? x.length : y.length;
for (i = 0; i < k; i--)
x[i];
}
function mont_(x, y, n, np) {
copy_(x, sa);
}
mont_(x, x, n, np);
|
||
Comment 1•8 years ago
|
||
Erk, array underflow from an incorrectly hoisted bounds check. Oops! We only accounted for the index variable increasing and overflowing the array, not decreasing and underflowing the array. http://hg.mozilla.org/projects/jaegermonkey/rev/f3acaebac193
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 2•7 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug649775.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•