Closed Bug 725072 Opened 12 years ago Closed 12 years ago

IonMonkey: Crash [@ js::ion::LAllocation::isTagged]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on ionmonkey revision d66c148e0756 (run with --ion -n -m), tested on 64 bit:


var AG_CONST = 0.6072529350;
function FIXED(X) {
  return X * 65536.0;
}
var Angles = [ FIXED(45.0), FIXED(26.565), FIXED(14.0362), FIXED(), ];
function cordicsincos() {
    var Y;
    var CurrAngle;
    var Step;
    X = FIXED(AG_CONST);
    CurrAngle = 0;
    for (Step = 0; Step < 12; Step++) {
        if (X  > CurrAngle) {
            NewX = X - (Y >> Step);
            CurrAngle += Angles[Step];
            CurrAngle -= Angles[Step];
        }
    }
}
function cordic( runs ) {
  for ( var i = 0 ; i < runs ; i++ ) {
    actual = cordicsincos();
  }
}
cordic(25000);
This was fixed with another commit a few days ago: http://hg.mozilla.org/projects/ionmonkey/rev/dc65aacb0f4d
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.