Note: There are a few cases of duplicates in user autocompletion which are being worked on.

TI: Crash in mjit-generated code

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
--
critical
RESOLVED FIXED
Reported:
6 years ago
Modified:
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Version:
Trunk
x86_64
Linux
Keywords:
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details
(Reporter)

Description

6 years ago 
The following testcase crashes on TI rev a3eeee8f7803 (run with options -n -m -a), tested on 64 bit:

var x = [, ];
var n = [, ];
var np = 18229;
sa = Array;
function copy_(x, y) {
    var i;
    var k = x < y ? x.length : y.length;
    for (i = 0; i < k; i--)
        x[i];
}
function mont_(x, y, n, np) {
    copy_(x, sa);
}
mont_(x, x, n, np);

Comment 1

6 years ago 
Erk, array underflow from an incorrectly hoisted bounds check. Oops! We only accounted for the index variable increasing and overflowing the array, not decreasing and underflowing the array.

http://hg.mozilla.org/projects/jaegermonkey/rev/f3acaebac193
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
 (Reporter)

Updated

6 years ago
Blocks: 676763
 (Reporter)

Comment 2

5 years ago 
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug649775.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.