The following test asserts/crashes on mozilla-central revision 1463dc6308a8 (options -m -n), tested on 32 bit: var fe="vv"; for (i=0; i<24; i++) fe += fe; var fu=new Function( fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, fe, "done" ); Stepping through the assert causes glibc to terminate: Program received signal SIGABRT, Aborted. *** glibc detected *** /srv/repos/mozilla-central/js/src/debug32/js: malloc(): memory corruption: 0x084fbcc8 *** ======= Backtrace: ========= [...]
Hm, the original test also asserts, it's mozilla-central/js/src/tests/js1_5/Function/regress-338121-02.js Isn't that test run with the normal test suite?
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 77764:4d10127fd106 user: Chris Leary <firstname.lastname@example.org> date: Thu Sep 22 13:22:30 2011 -0700 summary: Bug 684039: rewrite JS LIFO allocator, avoids thrashing. (r=luke)
If the bisected regression is correct this should affect Firefox 9 and not Firefox 8.
Assignee: general → cdleary
status-firefox10: --- → affected
status-firefox8: --- → unaffected
status-firefox9: --- → affected
tracking-firefox10: --- → +
tracking-firefox9: --- → +
Created attachment 566031 [details] [diff] [review] Overflow checks. I think this is only trunk (mozilla10, like on the bisected bug). The tests were being skipped because of bug 644241 comment 34. (No good way to specify jstest runs as expected-to-OOM.)
Attachment #566031 - Flags: review?(luke)
Target Milestone: --- → mozilla10
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status-firefox10: affected → fixed
Resolution: --- → FIXED
Can someone who is already set up to reproduce this bug please verify the fix?
Whiteboard: [sg:critical?] js-triage-needed → [sg:critical?][qa-] js-triage-needed
Verified fixed on Firefox 10.
No shipping version had this bug, we can unhide it.
status1.9.2: --- → unaffected
Covered by the jit-test in comment 2.
You need to log in before you can comment on or make changes to this bug.