Last Comment Bug 649775 - TI: Crash in mjit-generated code
: TI: Crash in mjit-generated code
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-04-13 13:15 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:20 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Christian Holler (:decoder) 2011-04-13 13:15:29 PDT 
The following testcase crashes on TI rev a3eeee8f7803 (run with options -n -m -a), tested on 64 bit:

var x = [, ];
var n = [, ];
var np = 18229;
sa = Array;
function copy_(x, y) {
    var i;
    var k = x < y ? x.length : y.length;
    for (i = 0; i < k; i--)
        x[i];
}
function mont_(x, y, n, np) {
    copy_(x, sa);
}
mont_(x, x, n, np);
Comment 1 Brian Hackett (:bhackett) 2011-04-13 15:23:53 PDT 
Erk, array underflow from an incorrectly hoisted bounds check. Oops! We only accounted for the index variable increasing and overflowing the array, not decreasing and underflowing the array.

http://hg.mozilla.org/projects/jaegermonkey/rev/f3acaebac193
Comment 2 Christian Holler (:decoder) 2013-01-14 08:20:40 PST 
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug649775.js.
Note You need to log in before you can comment on or make changes to this bug.