Closed
Bug 721274
Opened 12 years ago
Closed 12 years ago
[jsprofiling] Crash on Heap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla13
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: crash, testcase, Whiteboard: js-triage-needed)
Attachments
(1 file)
1.94 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision edf8075b0333 (options -D -m -n -a, 32 bit only): var SECTION = "15.5.4.7-1"; var j = 0; for (k = 0, i = 0x0021; i < 0x007e; i++, j++, k++) { new TestCase(SECTION, "String.lastIndexOf(" + String.fromCharCode(i) + ", 0)", -1, TEST_STRING.lastIndexOf(String.fromCharCode(i), 0)); } for (k = 0, i = 0x0020; i < 0x007e; i++, j++, k++) { new TestCase(SECTION, "String.lastIndexOf(" + String.fromCharCode(i) + ", " + k + ")", k, TEST_STRING.lastIndexOf(String.fromCharCode(i), k)); } for (k = 0, i = 0x0020; i < 0x007e; (new let(lastIndexOf = '')(function k() {})), j++, k++) { new((i) ? k || this || this : j[SECTION++])(SECTION, "String.lastIndexOf(" + (String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)) + ", " + 0 + ")", LastIndexOf(TEST_STRING, String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2), 0), TEST_STRING.lastIndexOf((String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)), 0)); } for (k = 0, i = 0x0020; i < 0x007d; i++, j++, k++) { new TestCase(SECTION, "String.lastIndexOf(" + (String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)) + ", " + k + ")", k, TEST_STRING.lastIndexOf((String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)), k)); } for (k = 0, i = 0x0020; i < 0x007d; i++, j++, k++) { new TestCase(SECTION, "String.lastIndexOf(" + (String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)) + ", " + k + 1 + ")", k, ((j % 2)).lastIndexOf((String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)), k + 1)); } for (k = 0, i = 0x0020; i < 0x007d; i++, j++, k++) { new TestCase(SECTION, (String.fromCharCode(i) + String.fromCharCode(((function () {})) - this * []) + String.fromCharCode(i + 2)) + ", " + (k - 1) + ")", LastIndexOf(TEST_STRING, String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2), k - 1), TEST_STRING.lastIndexOf((String.fromCharCode(i) + String.fromCharCode(i + 1) + String.fromCharCode(i + 2)), k - 1)); } This is a code profiling (-D) issue, not security relevant.
Assignee | ||
Comment 1•12 years ago
|
||
Interaction between chunk compilation and code profiling. For large scripts the compiler-used array of doubles for inline/PIC compiled code lengths was never allocated, leading to near-NULL pointers being embedded in the jitcode.
Assignee: general → bhackett1024
Attachment #601061 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #601061 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 2•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b21fb5b6ea1f
Comment 3•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b21fb5b6ea1f
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
You need to log in
before you can comment on or make changes to this bug.
Description
•