Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(447)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: test/mjsunit/regress/regress-169928.js

Issue 11931037: Out of bounds memory access in TestJSArrayForAllocationSiteInfo. (Closed) Base URL: https://v8.googlecode.com/svn/branches/bleeding_edge
Patch Set: Updated other platform conditional test to match change in ia32 Created 7 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« test/mjsunit/allocation-site-info.js ('K') | « test/mjsunit/allocation-site-info.js ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: test/mjsunit/regress/regress-169928.js
diff --git a/test/mjsunit/compiler/inline-arity-mismatch.js b/test/mjsunit/regress/regress-169928.js
similarity index 66%
copy from test/mjsunit/compiler/inline-arity-mismatch.js
copy to test/mjsunit/regress/regress-169928.js
index 4a61fa3a62c36f8f53b12cde023f52bdb6e1abc7..e5efcb11860bcba74d5799cbe66085fd92d26c4e 100644
--- a/test/mjsunit/compiler/inline-arity-mismatch.js
+++ b/test/mjsunit/regress/regress-169928.js
@@ -25,38 +25,29 @@
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-// Flags: --allow-natives-syntax
+// Flags: --allow-natives-syntax --smi-only-arrays --track-allocation-sites
-// Test inlining at call sites with mismatched arity.
-function f(a) {
- return a.x;
+function fastliteralcase(literal, value) {
+ literal[0] = value;
+ return literal;
}
-function g(a, b) {
- return a.x;
-}
-
-function h1(a, b) {
- return f(a, a) * g(b);
-}
-
-function h2(a, b) {
- return f(a, a) * g(b);
+function get_standard_literal() {
+ var literal = [1, 2, 3];
+ return literal;
}
+// Case: [1,2,3] as allocation site
+obj = fastliteralcase(get_standard_literal(), 1);
+obj = fastliteralcase(get_standard_literal(), 1.5);
+obj = fastliteralcase(get_standard_literal(), 2);
-var o = {x: 2};
+obj = fastliteralcase([5, 3, 2], 1.5);
+// The assert indicates that a transition stub made the array FAST_DOUBLE. The
+// bug was in the transition stub. To really reproduce with a access violation
+// the array needs to be allocated at the very end of new space, where top ==
+// limit. The bug was that then we tried to dereference limit.
+assertEquals(true, %HasFastDoubleElements(obj));
-assertEquals(4, h1(o, o));
-assertEquals(4, h1(o, o));
-assertEquals(4, h2(o, o));
-assertEquals(4, h2(o, o));
-%OptimizeFunctionOnNextCall(h1);
-%OptimizeFunctionOnNextCall(h2);
-assertEquals(4, h1(o, o));
-assertEquals(4, h2(o, o));
-var u = {y:0, x:1};
-assertEquals(2, h1(u, o));
-assertEquals(2, h2(o, u));
« test/mjsunit/allocation-site-info.js ('K') | « test/mjsunit/allocation-site-info.js ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698