From d04cf825f1adce4a760847b3b735e23a26e59429 Mon Sep 17 00:00:00 2001 From: "bclary@bclary.com" Date: Sun, 6 May 2007 01:06:47 -0700 Subject: [PATCH] JavaScript Tests - regression tests for bug 360681, by Igor Bukanov --- js/tests/js1_5/Array/regress-360681-01.js | 64 ++++++++++++++++ js/tests/js1_5/Array/regress-360681-02.js | 89 +++++++++++++++++++++++ 2 files changed, 153 insertions(+) create mode 100755 js/tests/js1_5/Array/regress-360681-01.js create mode 100755 js/tests/js1_5/Array/regress-360681-02.js diff --git a/js/tests/js1_5/Array/regress-360681-01.js b/js/tests/js1_5/Array/regress-360681-01.js new file mode 100755 index 00000000000..488ecec92a4 --- /dev/null +++ b/js/tests/js1_5/Array/regress-360681-01.js @@ -0,0 +1,64 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is JavaScript Engine testing utilities. + * + * The Initial Developer of the Original Code is + * Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2006 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): Igor Bukanov + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +//----------------------------------------------------------------------------- +var bug = 360681; +var summary = 'Regression from bug 224128'; +var actual = ''; +var expect = ''; + + +//----------------------------------------------------------------------------- +test(); +//----------------------------------------------------------------------------- + +function test() +{ + enterFunc ('test'); + printBugNumber (bug); + printStatus (summary); + + expect = actual = 'No Crash'; + + var a = Array(3); + a[0] = 1; + a[1] = 2; + a.sort(function () { gc(); return 1; }); + + reportCompare(expect, actual, summary); + + exitFunc ('test'); +} diff --git a/js/tests/js1_5/Array/regress-360681-02.js b/js/tests/js1_5/Array/regress-360681-02.js new file mode 100755 index 00000000000..14543e8c9a2 --- /dev/null +++ b/js/tests/js1_5/Array/regress-360681-02.js @@ -0,0 +1,89 @@ +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* ***** BEGIN LICENSE BLOCK ***** + * Version: MPL 1.1/GPL 2.0/LGPL 2.1 + * + * The contents of this file are subject to the Mozilla Public License Version + * 1.1 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * http://www.mozilla.org/MPL/ + * + * Software distributed under the License is distributed on an "AS IS" basis, + * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License + * for the specific language governing rights and limitations under the + * License. + * + * The Original Code is JavaScript Engine testing utilities. + * + * The Initial Developer of the Original Code is + * Mozilla Foundation. + * Portions created by the Initial Developer are Copyright (C) 2006 + * the Initial Developer. All Rights Reserved. + * + * Contributor(s): Igor Bukanov + * + * Alternatively, the contents of this file may be used under the terms of + * either the GNU General Public License Version 2 or later (the "GPL"), or + * the GNU Lesser General Public License Version 2.1 or later (the "LGPL"), + * in which case the provisions of the GPL or the LGPL are applicable instead + * of those above. If you wish to allow use of your version of this file only + * under the terms of either the GPL or the LGPL, and not to allow others to + * use your version of this file under the terms of the MPL, indicate your + * decision by deleting the provisions above and replace them with the notice + * and other provisions required by the GPL or the LGPL. If you do not delete + * the provisions above, a recipient may use your version of this file under + * the terms of any one of the MPL, the GPL or the LGPL. + * + * ***** END LICENSE BLOCK ***** */ +//----------------------------------------------------------------------------- +var bug = 360681; +var summary = 'Regression from bug 224128'; +var actual = ''; +var expect = ''; + + +//----------------------------------------------------------------------------- +test(); +//----------------------------------------------------------------------------- + +function test() +{ + enterFunc ('test'); + printBugNumber (bug); + printStatus (summary); + + expect = actual = 'No Crash'; + + var N = 1000; + +// Make an array with a hole at the end + var a = Array(N); + for (i = 0; i < N - 1; ++i) + a[i] = 1; + +// array_sort due for array with N elements with allocates a temporary vector +// with 2*N. Lets create strings that on 32 and 64 bit CPU cause allocation +// of the same amount of memory + 1 word for their char arrays. After we GC +// strings with a reasonable malloc implementation that memory will be most +// likely reused in array_sort for the temporary vector. Then the bug causes +// accessing the one-beyond-the-aloocation word and re-interpretation of +// 0xFFF0FFF0 as GC thing. + + var str1 = Array(2*(2*N + 1) + 1).join(String.fromCharCode(0xFFF0)); + var str2 = Array(4*(2*N + 1) + 1).join(String.fromCharCode(0xFFF0)); + gc(); + str1 = str2 = null; + gc(); + + var firstCall = true; + a.sort(function (a, b) { + if (firstCall) { + firstCall = false; + gc(); + } + return a - b; + }); + + reportCompare(expect, actual, summary); + + exitFunc ('test'); +}