451721 - TM: js1_5/extensions/regress-424942.js FAIL

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Bob Clary [:bc] (inactive)]

occurs in mozilla-central, tracemonkey with or without jit enabled.

js1_5/extensions/regress-424942.js
./js1_5/extensions/regress-424942.js:102: InternalError: script too large

Comment 1

[Andreas Gal :gal]

Can we retest this? Doesn't look like a jit bug too me.

Comment 2

[Bob Clary [:bc] (inactive)]

Bug 445262 cause this.

Comment 3

[Igor Bukanov]

This is a regression from the bug 447762. As a result of var/local merge the 64K limit is imposed on the number of variables plus the stack depth, not just the number of variables.

Since the test case creates a function with 2**16-1 variables and 2 stack slots, it fails during the compilation. So for the fix I suggest to change the following lines in the test case:

  print('testing (1<<16) - 1')
  testoverflow((1<<16) - 1);
  print('done testing (1<<16) - 1');

into something like:

  // we use 2**16-3, not 2**16-1, as 64K is the limit for the number
  // of variables in a function plus the stack depth and the function
  // uses 2 stack slots.
  print('testing (1<<16) - 3')
  testoverflow((1<<16) - 3);
  print('done testing (1<<16) - 3');

Such change would not affect the test coverage as any number beyond 32K would expose the original problem reported in the bug 447762.

To Bob Clary: would you update the test case in the bug 447762?

Comment 4

[Bob Clary [:bc] (inactive)]

dveditz, I screwed up and have been discussing a security sensitive bug in public. Not sure of the implications, but we should assume someone has enough information to replicate.

test updated in attachment to bug 424942

Comment 5

[Igor Bukanov]

I guess I am the biggest contributer to the screwup. Sorry about that.

Comment 6

[Igor Bukanov]

fixed via updating the test case

Comment 7

[Bob Clary [:bc] (inactive)]

verified fixed mozilla-central, tracemonkey but not a product issue - only test.