diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 19:33:14 +0000 |
| commit | 36d22d82aa202bb199967e9512281e9a53db42c9 (patch) | |
| tree | 105e8c98ddea1c1e4784a60a5a6410fa416be2de /js/src/tests/non262/extensions/clone-sab.js | |
| parent | Initial commit. (diff) | |
| download | firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.tar.xz firefox-esr-36d22d82aa202bb199967e9512281e9a53db42c9.zip | |
Adding upstream version 115.7.0esr.upstream/115.7.0esrupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'js/src/tests/non262/extensions/clone-sab.js')
| -rw-r--r-- | js/src/tests/non262/extensions/clone-sab.js | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/js/src/tests/non262/extensions/clone-sab.js b/js/src/tests/non262/extensions/clone-sab.js new file mode 100644 index 0000000000..3b35f90abc --- /dev/null +++ b/js/src/tests/non262/extensions/clone-sab.js @@ -0,0 +1,31 @@ +// |reftest| skip-if(!xulRuntime.shell) +/* -*- Mode: js2; tab-width: 40; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* + * Any copyright is dedicated to the Public Domain. + * https://creativecommons.org/publicdomain/zero/1.0/ + */ + +// Deserialize a serialization buffer containing a reference to a +// SharedArrayBuffer buffer object enough times and we will crash because of a +// reference counting bug. + +if (!this.SharedArrayBuffer) { + reportCompare(true,true); + quit(0); +} + +let x = new SharedArrayBuffer(1); +let y = serialize(x, [], {SharedArrayBuffer: 'allow'}); +x = null; + +// If the bug is present this loop usually crashes quickly during +// deserialization because the memory has become unmapped. + +for (let i=0 ; i < 50 ; i++ ) { + let obj = deserialize(y, {SharedArrayBuffer: 'allow'}); + let z = new Int8Array(obj); + z[0] = 0; +} + +reportCompare(true, true); + |