diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
| commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
| tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /js/src/tests/non262/Array/regress-360681-02.js | |
| parent | Initial commit. (diff) | |
| download | firefox-esr-upstream.tar.xz firefox-esr-upstream.zip | |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js/src/tests/non262/Array/regress-360681-02.js')
| -rw-r--r-- | js/src/tests/non262/Array/regress-360681-02.js | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/js/src/tests/non262/Array/regress-360681-02.js b/js/src/tests/non262/Array/regress-360681-02.js new file mode 100644 index 0000000000..ab230e1d4b --- /dev/null +++ b/js/src/tests/non262/Array/regress-360681-02.js @@ -0,0 +1,55 @@ +/* -*- tab-width: 2; indent-tabs-mode: nil; js-indent-level: 2 -*- */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + +//----------------------------------------------------------------------------- +var BUGNUMBER = 360681; +var summary = 'Regression from bug 224128'; +var actual = ''; +var expect = ''; + + +//----------------------------------------------------------------------------- +test(); +//----------------------------------------------------------------------------- + +function test() +{ + printBugNumber(BUGNUMBER); + printStatus (summary); + + expect = actual = 'No Crash'; + + var N = 1000; + +// Make an array with a hole at the end + var a = Array(N); + for (i = 0; i < N - 1; ++i) + a[i] = 1; + +// array_sort due for array with N elements with allocates a temporary vector +// with 2*N. Lets create strings that on 32 and 64 bit CPU cause allocation +// of the same amount of memory + 1 word for their char arrays. After we GC +// strings with a reasonable malloc implementation that memory will be most +// likely reused in array_sort for the temporary vector. Then the bug causes +// accessing the one-beyond-the-aloocation word and re-interpretation of +// 0xFFF0FFF0 as GC thing. + + var str1 = Array(2*(2*N + 1) + 1).join(String.fromCharCode(0xFFF0)); + var str2 = Array(4*(2*N + 1) + 1).join(String.fromCharCode(0xFFF0)); + gc(); + str1 = str2 = null; + gc(); + + var firstCall = true; + a.sort(function (a, b) { + if (firstCall) { + firstCall = false; + gc(); + } + return a - b; + }); + + reportCompare(expect, actual, summary); +} |