1 // Copyright 2012 the V8 project authors. All rights reserved. 2 // Redistribution and use in source and binary forms, with or without 3 // modification, are permitted provided that the following conditions are 4 // met: 5 // 6 // * Redistributions of source code must retain the above copyright 7 // notice, this list of conditions and the following disclaimer. 8 // * Redistributions in binary form must reproduce the above 9 // copyright notice, this list of conditions and the following 10 // disclaimer in the documentation and/or other materials provided 11 // with the distribution. 12 // * Neither the name of Google Inc. nor the names of its 13 // contributors may be used to endorse or promote products derived 14 // from this software without specific prior written permission. 15 // 16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 19 // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 20 // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 21 // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 22 // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 26 // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 28 // Flags: --allow-natives-syntax 29 30 // Create elements in a constructor function to ensure map sharing. 31 function TestConstructor() { 32 this[0] = 1; 33 this[1] = 2; 34 this[2] = 3; 35 } 36 37 function bad_func(o,a) { 38 var s = 0; 39 for (var i = 0; i < 1; ++i) { 40 o.newFileToChangeMap = undefined; 41 var x = a[0]; 42 s += x; 43 } 44 return s; 45 } 46 47 o = new Object(); 48 a = new TestConstructor(); 49 bad_func(o, a); 50 51 // Make sure that we're out of pre-monomorphic state for the member add of 52 // 'newFileToChangeMap' which causes a map transition. 53 o = new Object(); 54 a = new TestConstructor(); 55 bad_func(o, a); 56 57 // Optimize, before the fix, the element load and subsequent tagged-to-i were 58 // hoisted above the map check, which can't be hoisted due to the map-changing 59 // store. 60 o = new Object(); 61 a = new TestConstructor(); 62 %OptimizeFunctionOnNextCall(bad_func); 63 bad_func(o, a); 64 65 // Pass in a array of doubles. Before the fix, the optimized load and 66 // tagged-to-i will treat part of a double value as a pointer and de-ref it 67 // before the map check was executed that should have deopt. 68 o = new Object(); 69 // Pass in an elements buffer where the bit representation of the double numbers 70 // are two adjacent small 32-bit values with the lowest bit set to one, causing 71 // tagged-to-i to SIGSEGV. 72 a = [2.122e-314, 2.122e-314, 2.122e-314]; 73 bad_func(o, a); 74
