Closed Bug 682345 Opened 13 years ago Closed 13 years ago

TI: Crash on Heap

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase) 

The following testcase crashes on TI revision d60ffe67a13f (run with -j -m -n -a), tested on 64 bit:


for (var i = 0; i <= 0x017f; i++) {
    var U = new Unicode(i);
}
function Unicode(c) {
    u = GetUnicodeValues(c);
    this.upper = u[0];
}
function GetUnicodeValues(c) {
    u = new Array();
    if ((c >= 0x0100 && c < 0x0138) || (c > 0x0149 && c < 0x0178)) try {} finally {
        return;
    }
    return u;
}
Note that this test does not reproduce anymore on tip. Filed at request of bhackett to investigate if it was fixed by a later revision.
This bug was still on tip even though it didn't manifest, regression from bug 680951 a few days ago.  This bug added a new kind of type barrier used for accesses on undefined properties of singleton objects.  If the property was later explicitly assigned 'undefined', then a second type barrier needed to be generated for accesses on the singleton, and the presence of the first barrier incorrectly caused the second to be filtered out (the first one is less strict about the circumstances it must be observed by an opcode).  The fix corrects the detect-duplicates logic for type barriers.

http://hg.mozilla.org/projects/jaegermonkey/rev/9a0172368402
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug682345.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.