Closed Bug 724872 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash with illegal instruction (--ion-eager)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Attachments

(1 file)

fix
1.10 KB, patch
cdleary
: review+
Details | Diff | Splinter Review
The following testcase crashes on ionmonkey revision c34398f961e7 (run with --ion -n -m --ion-eager), tested on 64 bit: function f() { var x = ("1234"); var y = 0; return x % y; } assertEq(f(), NaN);
Fyi, I have a lot more crashes that involve --ion-eager but they all change crash signatures or asserts during minimization, so they are likely also memory corruptions. I'll be holding those back until this is fixed :)
Attached patch fixSplinter Review
Simple bug - we had talked through that LOsiPoints would always be patchable without any padding, which looks true for the middle of the buffer, but not necessarily if the call is at the very end.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #595160 - Flags: review?(christopher.leary)
Attachment #595160 - Flags: review?(christopher.leary) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/902e1b6364c4
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: