Home | History | Annotate | Download | only in regress 
      1 // Copyright 2012 the V8 project authors. All rights reserved.
      2 // Redistribution and use in source and binary forms, with or without
      3 // modification, are permitted provided that the following conditions are
      4 // met:
      5 //
      6 //     * Redistributions of source code must retain the above copyright
      7 //       notice, this list of conditions and the following disclaimer.
      8 //     * Redistributions in binary form must reproduce the above
      9 //       copyright notice, this list of conditions and the following
     10 //       disclaimer in the documentation and/or other materials provided
     11 //       with the distribution.
     12 //     * Neither the name of Google Inc. nor the names of its
     13 //       contributors may be used to endorse or promote products derived
     14 //       from this software without specific prior written permission.
     15 //
     16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
     19 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
     20 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
     21 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
     22 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
     23 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
     24 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
     25 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
     26 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
     27 
     28 // Flags: --expose-gc
     29 
     30 function KeyedStoreIC(a) { a[0] = Math.E; }
     31 
     32 // Create literal with a fast double elements backing store
     33 var literal = [1.2];
     34 
     35 // Specialize the IC for fast double elements
     36 KeyedStoreIC(literal);
     37 KeyedStoreIC(literal);
     38 
     39 // Trruncate array to 0 elements, at which point backing store will be replaced
     40 // with empty fixed array.
     41 literal.length = 0;
     42 
     43 // ArrayPush built-in will replace empty fixed array backing store with 19
     44 // elements fixed array backing store.  This leads to a mismatch between the map
     45 // and the backing store.  Debug mode will crash here in set_elements accessor.
     46 literal.push(Math.E, Math.E);
     47 
     48 // Corrupt the backing store!
     49 KeyedStoreIC(literal);
     50 
     51 // Release mode will crash here when trying to visit parts of E as pointers.
     52 gc();
     53