Closed
Bug 724944
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash [@ JSString::isAtom]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
3.06 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on ionmonkey revision c34398f961e7 (run with --ion -n), tested on 64 bit:
function TestCase(n, d, e, a)
function writeHeaderToLog( string ) {}
var SECTION = "15.1.2.5-2";
for ( var CHARCODE = 0; CHARCODE < 256; CHARCODE += 16 ) {
new TestCase( SECTION, unescape( "%" + (ToHexString(CHARCODE)).substring(0,1) ) );
}
function ToHexString( n ) {
var hex = new Array();
for ( var mag = 1; Math.pow(16,mag) <= n ; mag++ ) { }
for ( index = 0, mag -= 1; mag > 0; index++, mag-- ) { }
var string ="";
switch ( hex[index] ) {
case 10:
string += "A";
}
return string;
}
|
Assignee | |
Comment 1•13 years ago
|
||
The bug is that MTableSwitch cached its default case successor as an MBasicBlock *, but in this example we split a critical edge around that case, and thus the pointer wasn't updated. We hoisted a move up the edge, and then emitted a jump over it.
Fix is to just index into the successor list instead.
|
|
Assignee | |
Comment 2•13 years ago
|
||
Whoops, I forgot that we resort. Here's a better fix.
Attachment #595286 -
Attachment is obsolete: true
Attachment #595286 -
Flags: review?(jdemooij)
Attachment #595290 -
Flags: review?(jdemooij)
|
||
Updated•13 years ago
|
Attachment #595290 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 4•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug724944.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•