Closed Bug 758181 Opened 13 years ago Closed 13 years ago

IonMonkey: Crash [@ js::ion::MNode::block] or [@ js::ion::Loop::isInLoop]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(1 file)

Patch
1.62 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
I get this crash a lot in the browser, below is a reduced testcase. function Ld(a) { var sum = 0; for (var d = 5; 0 <= d; d--) sum += a[d]; return sum; } var arr = [0, 1, 2, 3, 4, 5, 6]; for (var i=0; i < 50; i++) assertEq(Ld(arr), 15);
Attached patch PatchSplinter Review
We're missing a NULL check in tryHoistBoundsCheck. The loop condition is "0 <= d" and in this case LinearSum::term is NULL. I don't know this function very well though, so please double-check.
Attachment #626776 - Flags: review?(bhackett1024)
Attachment #626776 - Flags: review?(bhackett1024) → review+
Thanks for the fast review. https://hg.mozilla.org/projects/ionmonkey/rev/d99898b8c8fe
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: