Closed Bug 451721 Opened 12 years ago Closed 12 years ago

TM: js1_5/extensions/regress-424942.js FAIL

Categories

(Core :: JavaScript Engine, defect)

x86
All
defect
Not set

Tracking

()

VERIFIED FIXED

People

(Reporter: bc, Assigned: igor)

References

Details

(Keywords: regression, testcase)

occurs in mozilla-central, tracemonkey with or without jit enabled.

js1_5/extensions/regress-424942.js
./js1_5/extensions/regress-424942.js:102: InternalError: script too large
Flags: in-testsuite+
Flags: in-litmus-
Summary: js1_5/extensions/regress-424942.js FAIL → TM: js1_5/extensions/regress-424942.js FAIL
Can we retest this? Doesn't look like a jit bug too me.
Bug 445262 cause this.
Blocks: upvar1
No longer blocks: landtm
Assignee: general → igor
This is a regression from the bug 447762. As a result of var/local merge the 64K limit is imposed on the number of variables plus the stack depth, not just the number of variables.

Since the test case creates a function with 2**16-1 variables and 2 stack slots, it fails during the compilation. So for the fix I suggest to change the following lines in the test case:

  print('testing (1<<16) - 1')
  testoverflow((1<<16) - 1);
  print('done testing (1<<16) - 1');

into something like:

  // we use 2**16-3, not 2**16-1, as 64K is the limit for the number
  // of variables in a function plus the stack depth and the function
  // uses 2 stack slots.
  print('testing (1<<16) - 3')
  testoverflow((1<<16) - 3);
  print('done testing (1<<16) - 3');

Such change would not affect the test coverage as any number beyond 32K would expose the original problem reported in the bug 447762.

To Bob Clary: would you update the test case in the bug 447762?
Blocks: 447762
No longer blocks: upvar1
Group: core-security
dveditz, I screwed up and have been discussing a security sensitive bug in public. Not sure of the implications, but we should assume someone has enough information to replicate.

test updated in attachment to bug 424942
I guess I am the biggest contributer to the screwup. Sorry about that.
fixed via updating the test case
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
verified fixed mozilla-central, tracemonkey but not a product issue - only test.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.