tyler.durden/test262
1
0
Fork 0
mirror of https://github.com/tc39/test262.git synced 2025-10-31 19:53:50 +01:00
Code Issues Packages Projects Releases Wiki Activity
test262/implementation-contributed/v8/mjsunit/regress/regress-4023.js
test262-automation 7298a38552 [v8-test262-automation] Updated curation log with latest revision sha's from export and changed files. 
sourceRevisionAtLastExport: 33f2fb0e53d135f0ee17cfccd9d993eb2a6f47de targetRevisionAtLastExport: 31340cbd9add103f586d501b0c3354b7b182abc0
2018-09-14 12:32:18 -04:00

68 lines
2.0 KiB
JavaScript
Raw Blame History

// Copyright 2015 the V8 project authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
// Flags: --allow-natives-syntax --expose-gc --block-concurrent-recompilation
function Inner() {
this.property = "OK";
this.prop2 = 1;
}
function Outer() {
this.o = "u";
}
function KeepMapAlive(o) {
return o.o;
}
function SetInner(o, i) {
o.inner_field = i;
}
function Crash(o) {
return o.inner_field.property;
}
var inner = new Inner();
var outer = new Outer();
// Collect type feedback.
SetInner(new Outer(), inner);
SetInner(outer, inner);
// This function's only purpose is to stash away a Handle that keeps
// outer's map alive during the gc() call below. We store this handle
// on the compiler thread :-)
KeepMapAlive(outer);
KeepMapAlive(outer);
%OptimizeFunctionOnNextCall(KeepMapAlive, "concurrent");
KeepMapAlive(outer);
// So far, all is well. Collect type feedback and optimize.
print(Crash(outer));
print(Crash(outer));
%OptimizeFunctionOnNextCall(Crash);
print(Crash(outer));
// Null out references and perform GC. This will keep outer's map alive
// (due to the handle created above), but will let inner's map die. Hence,
// inner_field's field type stored in outer's map will get cleared.
inner = undefined;
outer = undefined;
gc();
// We could unblock the compiler thread now. But why bother?
// Now optimize SetInner while inner_field's type is still cleared!
// This will generate optimized code that stores arbitrary objects
// into inner_field without checking their type against the field type.
%OptimizeFunctionOnNextCall(SetInner);
// Use the optimized code to store an arbitrary object into
// o2's inner_field, without triggering any dependent code deopts...
var o2 = new Outer();
SetInner(o2, { invalid: 1.51, property: "OK" });
// ...and then use the existing code expecting an Inner-class object to
// read invalid data (in this case, a raw double).
// We crash trying to convert the raw double into a printable string.
print(Crash(o2));
Reference in New Issue View Git Blame Copy Permalink