Closed Bug 662072 Opened 14 years ago Closed 14 years ago

TI+JM: crash in mjit-generated code

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

Jan de Mooij [:jandem]

Reporter

Description

•

14 years ago

-- (function () { var x; x = arguments.length; return function () { [1][x = arguments.length]; }; }).call().apply(); -- This crashes 64-bit shell with -m -n -a.

Brian Hackett [Laid off!]

Comment 1

•

14 years ago

During frame prologues for scripts which use their arguments, we make sure the number of actual arguments is correctly set even if nargs == nactual, to speed up accesses to arguments.length and bounds checks on arguments[i] later on. On x64 we used a 32 bit store but would later do 64 bit arithmetic on it, so we could end up reading uninitialized high bits from the field. http://hg.mozilla.org/projects/jaegermonkey/rev/6d423e5f2e48

Brian Hackett [Laid off!]

Updated

•

14 years ago

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TI+JM: crash in mjit-generated code

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: jandem, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated