Closed Bug 724944 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ JSString::isAtom]

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set
major

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: dvander)

References

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file, 1 obsolete file)

The following testcase crashes on ionmonkey revision c34398f961e7 (run with --ion -n), tested on 64 bit:


function TestCase(n, d, e, a)
function writeHeaderToLog( string ) {}
var SECTION = "15.1.2.5-2";
for ( var CHARCODE = 0; CHARCODE < 256; CHARCODE += 16 ) {
  new TestCase( SECTION, unescape( "%" + (ToHexString(CHARCODE)).substring(0,1) )  );
}
function ToHexString( n ) {
  var hex = new Array();
  for ( var mag = 1; Math.pow(16,mag) <= n ; mag++ ) {  }
  for ( index = 0, mag -= 1; mag > 0; index++, mag-- ) {  }
  var string ="";
    switch ( hex[index] ) {
    case 10:
      string += "A";
  }
  return string;
}
Attached patch fix (obsolete) — Splinter Review
The bug is that MTableSwitch cached its default case successor as an MBasicBlock *, but in this example we split a critical edge around that case, and thus the pointer wasn't updated. We hoisted a move up the edge, and then emitted a jump over it.

Fix is to just index into the successor list instead.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #595286 - Flags: review?(jdemooij)
Attached patch better fixSplinter Review
Whoops, I forgot that we resort. Here's a better fix.
Attachment #595286 - Attachment is obsolete: true
Attachment #595286 - Flags: review?(jdemooij)
Attachment #595290 - Flags: review?(jdemooij)
Attachment #595290 - Flags: review?(jdemooij) → review+
http://hg.mozilla.org/projects/ionmonkey/rev/c78194c6f53c
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug724944.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.