| Ben Murdoch | b8a8cc1 | 2014-11-26 15:28:44 +0000 | [diff] [blame] | 1 | // Copyright 2012 the V8 project authors. All rights reserved. |
| 2 | // Redistribution and use in source and binary forms, with or without |
| 3 | // modification, are permitted provided that the following conditions are |
| 4 | // met: |
| 5 | // |
| 6 | // * Redistributions of source code must retain the above copyright |
| 7 | // notice, this list of conditions and the following disclaimer. |
| 8 | // * Redistributions in binary form must reproduce the above |
| 9 | // copyright notice, this list of conditions and the following |
| 10 | // disclaimer in the documentation and/or other materials provided |
| 11 | // with the distribution. |
| 12 | // * Neither the name of Google Inc. nor the names of its |
| 13 | // contributors may be used to endorse or promote products derived |
| 14 | // from this software without specific prior written permission. |
| 15 | // |
| 16 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
| 17 | // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
| 18 | // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
| 19 | // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT |
| 20 | // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 21 | // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT |
| 22 | // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, |
| 23 | // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY |
| 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT |
| 25 | // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 26 | // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | |
| 28 | // Flags: --allow-natives-syntax |
| 29 | |
| 30 | // Create elements in a constructor function to ensure map sharing. |
| 31 | function TestConstructor() { |
| 32 | this[0] = 1; |
| 33 | this[1] = 2; |
| 34 | this[2] = 3; |
| 35 | } |
| 36 | |
| 37 | function bad_func(o,a) { |
| 38 | var s = 0; |
| 39 | for (var i = 0; i < 1; ++i) { |
| 40 | o.newFileToChangeMap = undefined; |
| 41 | var x = a[0]; |
| 42 | s += x; |
| 43 | } |
| 44 | return s; |
| 45 | } |
| 46 | |
| 47 | o = new Object(); |
| 48 | a = new TestConstructor(); |
| 49 | bad_func(o, a); |
| 50 | |
| 51 | // Make sure that we're out of pre-monomorphic state for the member add of |
| 52 | // 'newFileToChangeMap' which causes a map transition. |
| 53 | o = new Object(); |
| 54 | a = new TestConstructor(); |
| 55 | bad_func(o, a); |
| 56 | |
| 57 | // Optimize, before the fix, the element load and subsequent tagged-to-i were |
| 58 | // hoisted above the map check, which can't be hoisted due to the map-changing |
| 59 | // store. |
| 60 | o = new Object(); |
| 61 | a = new TestConstructor(); |
| 62 | %OptimizeFunctionOnNextCall(bad_func); |
| 63 | bad_func(o, a); |
| 64 | |
| 65 | // Pass in a array of doubles. Before the fix, the optimized load and |
| 66 | // tagged-to-i will treat part of a double value as a pointer and de-ref it |
| 67 | // before the map check was executed that should have deopt. |
| 68 | o = new Object(); |
| 69 | // Pass in an elements buffer where the bit representation of the double numbers |
| 70 | // are two adjacent small 32-bit values with the lowest bit set to one, causing |
| 71 | // tagged-to-i to SIGSEGV. |
| 72 | a = [2.122e-314, 2.122e-314, 2.122e-314]; |
| 73 | bad_func(o, a); |