Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 649775 - TI: Crash in mjit-generated code
: TI: Crash in mjit-generated code
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-04-13 13:15 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:20 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Christian Holler (:decoder) 2011-04-13 13:15:29 PDT
The following testcase crashes on TI rev a3eeee8f7803 (run with options -n -m -a), tested on 64 bit:

var x = [, ];
var n = [, ];
var np = 18229;
sa = Array;
function copy_(x, y) {
    var i;
    var k = x < y ? x.length : y.length;
    for (i = 0; i < k; i--)
function mont_(x, y, n, np) {
    copy_(x, sa);
mont_(x, x, n, np);
Comment 1 Brian Hackett (:bhackett) 2011-04-13 15:23:53 PDT
Erk, array underflow from an incorrectly hoisted bounds check. Oops! We only accounted for the index variable increasing and overflowing the array, not decreasing and underflowing the array.
Comment 2 Christian Holler (:decoder) 2013-01-14 08:20:40 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug649775.js.

Note You need to log in before you can comment on or make changes to this bug.