Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 662072 - TI+JM: crash in mjit-generated code
: TI+JM: crash in mjit-generated code
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress
  Show dependency treegraph
Reported: 2011-06-04 11:40 PDT by Jan de Mooij [:jandem]
Modified: 2011-06-04 13:49 PDT (History)
3 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Jan de Mooij [:jandem] 2011-06-04 11:40:03 PDT
(function () {
    var x;
    x = arguments.length;
    return function () {
        [1][x = arguments.length];
This crashes 64-bit shell with -m -n -a.
Comment 1 Brian Hackett (:bhackett) 2011-06-04 13:49:23 PDT
During frame prologues for scripts which use their arguments, we make sure the number of actual arguments is correctly set even if nargs == nactual, to speed up accesses to arguments.length and bounds checks on arguments[i] later on.  On x64 we used a 32 bit store but would later do 64 bit arithmetic on it, so we could end up reading uninitialized high bits from the field.

Note You need to log in before you can comment on or make changes to this bug.