Closed
Bug 725072
Opened 13 years ago
Closed 13 years ago
IonMonkey: Crash [@ js::ion::LAllocation::isTagged]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
The following testcase crashes on ionmonkey revision d66c148e0756 (run with --ion -n -m), tested on 64 bit:
var AG_CONST = 0.6072529350;
function FIXED(X) {
return X * 65536.0;
}
var Angles = [ FIXED(45.0), FIXED(26.565), FIXED(14.0362), FIXED(), ];
function cordicsincos() {
var Y;
var CurrAngle;
var Step;
X = FIXED(AG_CONST);
CurrAngle = 0;
for (Step = 0; Step < 12; Step++) {
if (X > CurrAngle) {
NewX = X - (Y >> Step);
CurrAngle += Angles[Step];
CurrAngle -= Angles[Step];
}
}
}
function cordic( runs ) {
for ( var i = 0 ; i < runs ; i++ ) {
actual = cordicsincos();
}
}
cordic(25000);
This was fixed with another commit a few days ago: http://hg.mozilla.org/projects/ionmonkey/rev/dc65aacb0f4d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•