test/mjsunit/regress/regress-392114.js - Issue 443903002: Version 3.27.34.12 (merged r22693)

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: test/mjsunit/regress/regress-392114.js

Issue 443903002: Version 3.27.34.12 (merged r22693) (Closed) Base URL: https://v8.googlecode.com/svn/branches/3.27

Patch Set: Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: test/mjsunit/regress/regress-392114.js

diff --git a/test/mjsunit/regress/regress-frame-details-null-receiver.js b/test/mjsunit/regress/regress-392114.js

similarity index 66%

copy from test/mjsunit/regress/regress-frame-details-null-receiver.js

copy to test/mjsunit/regress/regress-392114.js

index ffe5fbb84ce80c0289a5a76c0a7bc1c798383c49..e5cf1cde372f13c72262855b35f4a00390d3b057 100644

--- a/test/mjsunit/regress/regress-frame-details-null-receiver.js

+++ b/test/mjsunit/regress/regress-392114.js

@@ -1,4 +1,4 @@

// Redistribution and use in source and binary forms, with or without

// modification, are permitted provided that the following conditions are

// met:

@@ -28,24 +28,39 @@

// Flags: --expose-debug-as debug --allow-natives-syntax

Debug = debug.Debug;

-var listened = false;

-function listener(event, exec_state, event_data, data) {

- if (event == Debug.DebugEvent.Exception) {

- for (var i = 0; i < exec_state.frameCount(); i++) {

- print(exec_state.frame(i).receiver());

- print(exec_state.frame(i).func().name());

+function dummy(x) {

+ return x + 100;

+function create_closure() {

+ var f = function(arg) {

+ if (arg) { %DeoptimizeFunction(f); }

+ var a = Array(10);

+ for (var i = 0; i < a.length; i++) {

+ a[i] = i;

}

- listened = true;

+ return f;

}

-Debug.setListener(listener);

-Debug.setBreakOnException();

+var c = create_closure();

+c();

+// c CallIC state now has custom Array handler installed.

+// Turn on the debugger.

+Debug.setListener(function () {});

-assertThrows(function() { delete null['foo']; });

+var d = create_closure();

+%OptimizeFunctionOnNextCall(d);

+// Thanks to the debugger, we recreate the full code too. We deopt and run

+// it, stomping on the unexpected AllocationSite in the type vector slot.

+d(true);

-Debug.clearBreakOnException();

-Debug.setListener(null);

+// CallIC in c misinterprets type vector slot contents as an AllocationSite,

+// corrupting the heap.

+c();

-assertTrue(listened);

+// CallIC MISS - crash due to corruption.

+dummy();

« no previous file with comments | « src/x87/code-stubs-x87.cc ('k') | no next file » | no next file with comments »