regress-360681-02.js (1707B)
1 /* -*- tab-width: 2; indent-tabs-mode: nil; js-indent-level: 2 -*- */ 2 /* This Source Code Form is subject to the terms of the Mozilla Public 3 * License, v. 2.0. If a copy of the MPL was not distributed with this 4 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 5 6 //----------------------------------------------------------------------------- 7 var BUGNUMBER = 360681; 8 var summary = 'Regression from bug 224128'; 9 var actual = ''; 10 var expect = ''; 11 12 13 //----------------------------------------------------------------------------- 14 test(); 15 //----------------------------------------------------------------------------- 16 17 function test() 18 { 19 printBugNumber(BUGNUMBER); 20 printStatus (summary); 21 22 expect = actual = 'No Crash'; 23 24 var N = 1000; 25 26 // Make an array with a hole at the end 27 var a = Array(N); 28 for (i = 0; i < N - 1; ++i) 29 a[i] = 1; 30 31 // array_sort due for array with N elements with allocates a temporary vector 32 // with 2*N. Lets create strings that on 32 and 64 bit CPU cause allocation 33 // of the same amount of memory + 1 word for their char arrays. After we GC 34 // strings with a reasonable malloc implementation that memory will be most 35 // likely reused in array_sort for the temporary vector. Then the bug causes 36 // accessing the one-beyond-the-aloocation word and re-interpretation of 37 // 0xFFF0FFF0 as GC thing. 38 39 var str1 = Array(2*(2*N + 1) + 1).join(String.fromCharCode(0xFFF0)); 40 var str2 = Array(4*(2*N + 1) + 1).join(String.fromCharCode(0xFFF0)); 41 gc(); 42 str1 = str2 = null; 43 gc(); 44 45 var firstCall = true; 46 a.sort(function (a, b) { 47 if (firstCall) { 48 firstCall = false; 49 gc(); 50 } 51 return a - b; 52 }); 53 54 reportCompare(expect, actual, summary); 55 }