Closed Bug 649775 Opened 10 years ago Closed 10 years ago

TI: Crash in mjit-generated code

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase) 

The following testcase crashes on TI rev a3eeee8f7803 (run with options -n -m -a), tested on 64 bit:

var x = [, ];
var n = [, ];
var np = 18229;
sa = Array;
function copy_(x, y) {
    var i;
    var k = x < y ? x.length : y.length;
    for (i = 0; i < k; i--)
        x[i];
}
function mont_(x, y, n, np) {
    copy_(x, sa);
}
mont_(x, x, n, np);
Erk, array underflow from an incorrectly hoisted bounds check. Oops! We only accounted for the index variable increasing and overflowing the array, not decreasing and underflowing the array.

http://hg.mozilla.org/projects/jaegermonkey/rev/f3acaebac193
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug649775.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.